Vulnerability Description
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login as User or Customer (User Switching) WordPress plugin before 1.8, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wp-Buy | Login As User Or Customer \(User Switching\) | < 1.8 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploitPatchThird Party Advisory
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploitPatchThird Party Advisory
FAQ
What is CVE-2021-24195?
CVE-2021-24195 is a vulnerability with a CVSS score of 8.8 (HIGH). Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login as User or Customer (User Switching) WordPress plugin before 1.8, to install any plugin (including a...
How severe is CVE-2021-24195?
CVE-2021-24195 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24195?
Check the references section above for vendor advisories and patch information. Affected products include: Wp-Buy Login As User Or Customer \(User Switching\).