cbcvebase.
CVE-2021-4374
published 2023-06-07

CVE-2021-4374: The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.41%
96.6th percentile
The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.

Affected

2 ranges
VendorProductVersion rangeFixed in
valvepresswordpress_automatic_plugin< 3.53.33.53.3
valvepresswordpress_automatic_plugin<= 3.53.2

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/wp-automatic/process_form.php
path/wp-content/plugins/wp-automatic/
commandPOST /wp-content/plugins/wp-automatic/process_form.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded field1=<randstr>&field3=test&field4=test&field5=test&field6=test&blogdescription=<randstr>
  • Monitor for unauthenticated POST requests to /wp-content/plugins/wp-automatic/process_form.php, which is the vulnerable endpoint allowing arbitrary WordPress options updates without authentication.
  • Alert on WordPress option changes for 'users_can_register' (enabled) and 'default_role' set to 'administrator', which are the key options manipulated during exploitation to enable self-registration of admin accounts.
  • The vulnerability can be triggered even when the plugin is deactivated, so blocking or monitoring access to process_form.php at the web server/WAF level is necessary regardless of plugin activation state.
  • Use FOFA/Shodan/Google dorks to identify exposed instances: search for 'wp-content/plugins/wp-automatic/' in HTTP responses or URLs.
  • ·Affected versions are 3.53.2 and below; the vulnerability is in process_form.php which passes all POST parameters directly to update_option() without any authorization or validation.
  • ·The Metasploit module requires a valid attacker-controlled email address to receive the WordPress registration email for the newly created administrator account; this step is not automated in the MSF module.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.