CVE-2021-24175
First published: Mon Apr 05 2021(Updated: )
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Posimyth The Plus Addons For Elementor | <4.1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-24175?
CVE-2021-24175 is a vulnerability in The Plus Addons for Elementor Page Builder WordPress plugin before version 4.1.7 that allows unauthenticated users to bypass authentication and log in as any user, including the admin.
How severe is CVE-2021-24175?
CVE-2021-24175 has a severity rating of 9.8, which is considered critical.
How was CVE-2021-24175 being exploited?
CVE-2021-24175 was being actively exploited by malicious actors to bypass authentication and gain unauthorized access.
How can I fix CVE-2021-24175?
To fix CVE-2021-24175, you should update The Plus Addons for Elementor Page Builder WordPress plugin to version 4.1.7 or later.
Where can I find more information about CVE-2021-24175?
You can find more information about CVE-2021-24175 in the following references: [Reference 1](https://posimyth.ticksy.com/ticket/2713734/), [Reference 2](https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89), [Reference 3](https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/)
- collector/nvd-index
- vendor/posimyth
- canonical/posimyth the plus addons for elementor