CVE-2021-4425: CSRF
First published: Wed Jul 12 2023(Updated: )
The Defender Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.6. This is due to missing or incorrect nonce validation on the verify_otp_login_time() function. This makes it possible for unauthenticated attackers to verify a one time login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Credit: security@wordfence.com security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WPMU DEV Defender Security | <=2.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2473684%40defender-security&new=2473684%40defender-security&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e772fbbe-33d5-46fa-a041-ab07d3f9318f?source=cve
Frequently Asked Questions
What is CVE-2021-4425?
CVE-2021-4425 is a vulnerability in the Defender Security plugin for WordPress that allows unauthenticated attackers to verify a one-time login.
How severe is CVE-2021-4425?
The severity of CVE-2021-4425 is medium with a CVSS score of 4.3.
How does CVE-2021-4425 affect the Defender Security plugin for WordPress?
CVE-2021-4425 affects versions up to and including 2.4.6 of the Defender Security plugin for WordPress.
What is Cross-Site Request Forgery (CSRF)?
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into submitting a malicious request, which can lead to unintended actions or data exposure.
How can I fix CVE-2021-4425?
To fix CVE-2021-4425, update the Defender Security plugin for WordPress to a version higher than 2.4.6.
- agent/author
- agent/type
- agent/softwarecombine
- agent/remedy
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-latest
- vendor/wpmudev
- canonical/wpmu dev defender security
- version/wpmu dev defender security/2.4.6