First published: Mon Jun 14 2021(Updated: )
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Posimyth The Plus Addons For Elementor | <4.1.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-24359 is a vulnerability in the Plus Addons for Elementor Page Builder WordPress plugin before version 4.1.11 that allows an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site.
CVE-2021-24359 has a severity rating of 5.3, which is considered medium.
CVE-2021-24359 affects the Plus Addons for Elementor Page Builder WordPress plugin before version 4.1.11, allowing an attacker to send an arbitrary reset password email to a registered user.
To fix CVE-2021-24359, update the Plus Addons for Elementor Page Builder WordPress plugin to version 4.1.11 or later.
CVE-2021-24359 is associated with CWE-287 (Improper Authentication) and CWE-284 (Improper Access Control).