1. Home
  2. CVE Database
  3. CVE-2021-24191
HIGH · 8.8

CVE-2021-24191

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (includ...

Vulnerability Description

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
WpshopmartComing Soon Page \& Maintenance Mode< 1.8.2

Related Weaknesses (CWE)

CWE-285

References

FAQ

What is CVE-2021-24191?

CVE-2021-24191 is a vulnerability with a CVSS score of 8.8 (HIGH). Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (includ...

How severe is CVE-2021-24191?

CVE-2021-24191 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24191?

Check the references section above for vendor advisories and patch information. Affected products include: Wpshopmart Coming Soon Page \& Maintenance Mode.