CVE-2021-24175 Information

Description

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication allowing unauthenticated users to log in as any user (including admin) by just providing the related username as well as create accounts with arbitrary roles such as admin. These issues can be exploited even if registration is disabled and the Login widget is not active.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://posimyth.ticksy.com/ticket/2713734/ https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89 https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8