CVE-2021-24752

Name: CVE-2021-24752
Creator: NVD / NIST
Published: 2021-10-18T14:15:10.04+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.7/10EPSS 0.41%

Last modified Jun 17, 2026

CVE-2021-24752 is a medium-severity vulnerability rated 5.7/10 on the CVSS scale. Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations.. EPSS estimates a 0.41% chance of exploitation in the next 30 days.

Description

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations.

Metrics

CVSS 3.1

5.7/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

EPSS Probability

0.41%

32.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Catchplugins	Catch Scroll Progress Bar	< 1.6
Catchplugins	Catch Sticky Menu	< 1.7
Catchplugins	Catch Themes Demo Import	< 1.6
Catchplugins	Catch Under Construction	< 1.4
Catchplugins	Catch Web Tools	< 2.7
Catchplugins	Essential Content Types	< 1.9
Catchplugins	Essential Widgets	< 1.9
Catchplugins	Generate Child Theme	< 1.6
Catchplugins	Header Enhancement	< 1.5
Catchplugins	To Top	< 2.3

References

https://wpscan.com/vulnerability/181a729e-fffe-457c-9e8d-a4343fd2e630Exploit, Third Party Advisory
https://wpscan.com/vulnerability/181a729e-fffe-457c-9e8d-a4343fd2e630Exploit, Third Party Advisory

Timeline

Published: Oct 18, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-24752?

How severe is CVE-2021-24752?

CVE-2021-24752 has a CVSS score of 5.7/10 (MEDIUM severity). The EPSS model estimates a 0.41% probability of exploitation in the next 30 days.

How do I fix CVE-2021-24752?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-24752?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST