Vulnerability Description
Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Advanced Forms Project | Advanced Forms | < 1.6.9 |
Related Weaknesses (CWE)
References
- https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c56PatchThird Party Advisory
- https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0ExploitThird Party Advisory
- https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c56PatchThird Party Advisory
- https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0ExploitThird Party Advisory
FAQ
What is CVE-2021-24892?
CVE-2021-24892 is a vulnerability with a CVSS score of 8.8 (HIGH). Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset passwo...
How severe is CVE-2021-24892?
CVE-2021-24892 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24892?
Check the references section above for vendor advisories and patch information. Affected products include: Advanced Forms Project Advanced Forms.