CVE-2021-24867

Name: CVE-2021-24867
Creator: NVD / NIST
Published: 2022-02-21T11:15:08.32+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 18.88%

Last modified Jun 17, 2026

CVE-2021-24867 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. EPSS estimates a 18.88% chance of exploitation in the next 30 days.

Description

Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to avoid any confusion

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

18.88%

96.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-912

Affected Software

Vendor	Product	Versions
Accesspressthemes	Accessbuddy	1.0.0
Accesspressthemes	Accesspress Anonymous Post	2.8.0
Accesspressthemes	Accesspress Basic	3.2.1
Accesspressthemes	Accesspress Custom Css	2.0.1
Accesspressthemes	Accesspress Custom Post Type	1.0.8
Accesspressthemes	Accesspress Ifeeds	4.0.3
Accesspressthemes	Accesspress Lite	2.92
Accesspressthemes	Accesspress Mag	2.6.5
Accesspressthemes	Accesspress Parallax	4.5
Accesspressthemes	Accesspress Ray	1.19.5
Accesspressthemes	Accesspress Root	2.5
Accesspressthemes	Accesspress Social Counter	1.9.1
Accesspressthemes	Accesspress Social Icons	1.8.2
Accesspressthemes	Accesspress Social Login Lite	3.4.7
Accesspressthemes	Accesspress Social Share	4.5.5
Accesspressthemes	Accesspress Staple	1.9.1
Accesspressthemes	Accesspress Store	2.4.9
Accesspressthemes	Agency Lite	1.1.6
Accesspressthemes	Ap Companion	< 1.0.7
Accesspressthemes	Ap Contact Form	1.0.6
Accesspressthemes	Ap Custom Testimonial	1.4.6
Accesspressthemes	Ap Mega Menu	3.0.5
Accesspressthemes	Ap Pricing Tables Lite	1.1.2
Accesspressthemes	Apex Notification Bar Lite	2.0.4
Accesspressthemes	Aplite	1.0.6
Accesspressthemes	Badge Designer Lite For Woocommerce	1.1.0
Accesspressthemes	Bingle	1.0.4
Accesspressthemes	Bloger	1.2.6
Accesspressthemes	Comments Disable - Accesspress	1.0.7
Accesspressthemes	Construction Lite	1.2.5
Accesspressthemes	Doko	1.0.27
Accesspressthemes	Easy Side Tab	1.0.7
Accesspressthemes	Enlighten	1.3.5
Accesspressthemes	Everest Admin Theme Lite	1.0.7
Accesspressthemes	Everest Coming Soon Lite	1.1.0
Accesspressthemes	Everest Comment Rating Lite	2.0.4
Accesspressthemes	Everest Counter Lite	2.0.7
Accesspressthemes	Everest Faq Manager Lite	1.0.8
Accesspressthemes	Everest Gallery Lite	1.0.8
Accesspressthemes	Everest Gplaces Business Reviews	1.0.9
Accesspressthemes	Everest Review Lite	1.0.7
Accesspressthemes	Everest Tab Lite	2.0.3
Accesspressthemes	Everest Timeline Lite	1.1.1
Accesspressthemes	Fashstore	1.2.1
Accesspressthemes	Form Store To Db	1.0.9
Accesspressthemes	Fotography	2.4.0
Accesspressthemes	Gaga Corp	1.0.8
Accesspressthemes	Gaga Lite	1.4.2
Accesspressthemes	Inline Call To Action Builder Lite	1.1.0
Accesspressthemes	Mcontact Button	< 2.0.7

Showing 50 of 93 affected configurations. See NVD for the full list.

References

https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/Exploit, Third Party Advisory
https://wpscan.com/vulnerability/9c76bada-fa32-4c2f-9855-d0efd1e63effExploit, Third Party Advisory
https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/Exploit, Third Party Advisory
https://wpscan.com/vulnerability/9c76bada-fa32-4c2f-9855-d0efd1e63effExploit, Third Party Advisory

Timeline

Published: Feb 21, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-24867?

How severe is CVE-2021-24867?

CVE-2021-24867 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 18.88% probability of exploitation in the next 30 days.

How do I fix CVE-2021-24867?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-24867?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST