Vulnerability Description
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Posimyth | The Plus Addons For Elementor | < 4.1.7 |
Related Weaknesses (CWE)
References
- https://posimyth.ticksy.com/ticket/2713734/Broken Link
- https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89ExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-eleThird Party Advisory
- https://posimyth.ticksy.com/ticket/2713734/Broken Link
- https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89ExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-eleThird Party Advisory
FAQ
What is CVE-2021-24175?
CVE-2021-24175 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any u...
How severe is CVE-2021-24175?
CVE-2021-24175 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-24175?
Check the references section above for vendor advisories and patch information. Affected products include: Posimyth The Plus Addons For Elementor.