First published: Mon Apr 05 2021(Updated: )
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Posimyth The Plus Addons For Elementor | <4.1.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-24175 is a vulnerability in The Plus Addons for Elementor Page Builder WordPress plugin before version 4.1.7 that allows unauthenticated users to bypass authentication and log in as any user, including the admin.
CVE-2021-24175 has a severity rating of 9.8, which is considered critical.
CVE-2021-24175 was being actively exploited by malicious actors to bypass authentication and gain unauthorized access.
To fix CVE-2021-24175, you should update The Plus Addons for Elementor Page Builder WordPress plugin to version 4.1.7 or later.
You can find more information about CVE-2021-24175 in the following references: [Reference 1](https://posimyth.ticksy.com/ticket/2713734/), [Reference 2](https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89), [Reference 3](https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/)