1. Home
  2. CVE Database
  3. CVE-2021-24190
HIGH · 8.8

CVE-2021-24190

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin (including a...

Vulnerability Description

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
Wp-BuyConditional Marketing Mailer< 1.5.2

Related Weaknesses (CWE)

CWE-285

References

FAQ

What is CVE-2021-24190?

CVE-2021-24190 is a vulnerability with a CVSS score of 8.8 (HIGH). Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin (including a...

How severe is CVE-2021-24190?

CVE-2021-24190 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24190?

Check the references section above for vendor advisories and patch information. Affected products include: Wp-Buy Conditional Marketing Mailer.