Vulnerability CVE-2021-24193

Vulnerability CVE-2021-24193

Published: 2021-05-14

Description:

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

Type:

CWE-285

(Improper Authorization)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.5/10	6.4/10	8/10

Exploit range	Attack complexity	Authentication
Remote	Low	Single time
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Wp-buy -> Visitor traffic real time statistics

References:

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Copyright 2024, cxsecurity.com