CVE-2021-24175
Summary
| CVE | CVE-2021-24175 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-05 19:15:00 UTC |
| Updated | 2021-04-09 17:22:00 UTC |
| Description | The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. |
Risk And Classification
Problem Types: CWE-287
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Posimyth | The Plus Addons For Elementor | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass Security Vulnerability | CONFIRM | wpscan.com | |
| Critical 0-day in The Plus Addons for Elementor Allows Site Takeover | MISC | www.wordfence.com | |
| "Plugin Exploitation" (#2713734) / POSIMYTH | MISC | posimyth.ticksy.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Ville Korhonen (Seravo), Antony Booker (WP Charged)
There are currently no legacy QID mappings associated with this CVE.