Back to KEVs

CVE-2021-4374

The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to...

Basic Information

CVE State
PUBLISHED
Reserved Date
June 06, 2023
Published Date
June 07, 2023
Last Updated
December 28, 2024
Vendor
ValvePress
Product
WordPress Automatic Plugin
Description
The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

9.1 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2026-04-25 00:00:00 UTC) Source

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/d0567dc8-7a4c-42f4-bf45-f31a8efaa354?source=cve https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-04-25 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-4374.yaml 2026-06-01 15:34:31 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei