cbcvebase.
CVE-2021-4343
published 2023-06-07

CVE-2021-4343: The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. This is…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.40%
69.1th percentile
The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. This is due to the stm_listing_register AJAX action function being accessible and taking roles unprotected. This makes it possible for unauthenticated attackers to create accounts, even those with administrator privileges.

Affected

5 ranges
VendorProductVersion rangeFixed in
istio.ioistio>= 0 < 1.9.81.9.8
istio.ioistio>= 1.10.0 < 1.10.41.10.4
istio.ioistio>= 1.11.0 < 1.11.11.11.1
stylemixdirectory_listings_wordpress_plugin_ulisting< 1.71.7
stylemixthemesulisting<= 1.6.6

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.