Vulnerability Description
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wp-Buy | Visitor Traffic Real Time Statistics | < 2.12 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploitPatchThird Party Advisory
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploitPatchThird Party Advisory
FAQ
What is CVE-2021-24193?
CVE-2021-24193 is a vulnerability with a CVSS score of 8.8 (HIGH). Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a spec...
How severe is CVE-2021-24193?
CVE-2021-24193 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24193?
Check the references section above for vendor advisories and patch information. Affected products include: Wp-Buy Visitor Traffic Real Time Statistics.