cbcvebase.
CVE-2021-24175
published 2021-04-05

CVE-2021-24175: The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.46%
96.2th percentile
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.

Affected

1 ranges
VendorProductVersion rangeFixed in
posimyththe_plus_addons_for_elementor< 4.1.74.1.7

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/the-plus-addons-for-elementor-page-builder/readme.txt
path/wp-content/plugins/the-plus-addons-for-elementor-page-builder/
  • Detect vulnerable plugin version by fetching readme.txt and extracting 'Stable tag' version string; flag if version is less than 4.1.7
  • HTTP GET request to /wp-content/plugins/the-plus-addons-for-elementor-page-builder/readme.txt returning HTTP 200 and containing 'The Plus Addons for Elementor' indicates a potentially vulnerable installation
  • Use FOFA query 'body="/wp-content/plugins/the-plus-addons-for-elementor-page-builder/"' to identify internet-exposed WordPress sites with the vulnerable plugin installed
  • Extract version from readme.txt using regex 'Stable tag: ([0-9.]+)' and compare against the fixed version 4.1.7
  • ·The authentication bypass is exploitable even when user registration is disabled and the Login widget is not active — do not rely on those controls as mitigations
  • ·The vulnerability allows unauthenticated login as any user including admin by supplying only a username, and also permits creation of accounts with arbitrary roles such as admin

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.