Back to KEVs

CVE-2021-24175

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

Basic Information

CVE State
PUBLISHED
Reserved Date
January 14, 2021
Published Date
April 05, 2021
Last Updated
August 03, 2024
Vendor
Unknown
Product
The Plus Addons for Elementor Page Builder
Description
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
Tags
wordpress

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploit Status

Exploited in the Wild
Yes (2021-04-05 18:27:44 UTC) Source

References

https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89 https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/ https://posimyth.ticksy.com/ticket/2713734/

Known Exploited Vulnerability Information

Source Added Date
CVE 2021-04-05 18:27:44 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel