CVE-2021-4374
published 2023-06-07CVE-2021-4374: The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.41%
96.6th percentile
The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| valvepress | wordpress_automatic_plugin | < 3.53.3 | 3.53.3 |
| valvepress | wordpress_automatic_plugin | <= 3.53.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /wp-content/plugins/wp-automatic/process_form.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
field1=<randstr>&field3=test&field4=test&field5=test&field6=test&blogdescription=<randstr>↗
- →Monitor for unauthenticated POST requests to /wp-content/plugins/wp-automatic/process_form.php, which is the vulnerable endpoint allowing arbitrary WordPress options updates without authentication. ↗
- →Alert on WordPress option changes for 'users_can_register' (enabled) and 'default_role' set to 'administrator', which are the key options manipulated during exploitation to enable self-registration of admin accounts. ↗
- →The vulnerability can be triggered even when the plugin is deactivated, so blocking or monitoring access to process_form.php at the web server/WAF level is necessary regardless of plugin activation state. ↗
- →Use FOFA/Shodan/Google dorks to identify exposed instances: search for 'wp-content/plugins/wp-automatic/' in HTTP responses or URLs. ↗
- ·Affected versions are 3.53.2 and below; the vulnerability is in process_form.php which passes all POST parameters directly to update_option() without any authorization or validation. ↗
- ·The Metasploit module requires a valid attacker-controlled email address to receive the WordPress registration email for the newly created administrator account; this step is not automated in the MSF module. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-crwv-q9pj-pwrg: The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3
ghsa_unreviewed·2023-06-07
CVE-2021-4374 [CRITICAL] CWE-862 GHSA-crwv-q9pj-pwrg: The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3
The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.
VulnCheck
valvepress wordpress_automatic_plugin Missing Authorization
vulncheck·2021·CVSS 9.1
CVE-2021-4374 [CRITICAL] valvepress wordpress_automatic_plugin Missing Authorization
valvepress wordpress_automatic_plugin Missing Authorization
The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.
Affected: valvepress wordpress_automatic_plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-automatic/wordpress-automatic-plugin-3532-unauthenticated-ar
No detection rules found.
Metasploit
WordPress Plugin Automatic Config Change to RCE
metasploit
WordPress Plugin Automatic Config Change to RCE
WordPress Plugin Automatic Config Change to RCE
This module exploits an unauthenticated arbitrary wordpress options change vulnerability in the Automatic (wp-automatic) plugin <= 3.53.2. If WPEMAIL is provided, the administrator's email address will be changed. User registration is enabled, and default user role is set to administrator. A user is then created with the USER name set. A valid EMAIL is required to get the registration email (not handled in MSF).
Nuclei
WordPress Automatic Plugin - Unauthenticated Options Change
nuclei·CVSS 9.8
CVE-2021-4374 [CRITICAL] WordPress Automatic Plugin - Unauthenticated Options Change
WordPress Automatic Plugin - Unauthenticated Options Change
WordPress Automatic Plugin (versions 3.53.2 and below) contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the process_form.php script. The vulnerable script uses update_option() on all POST parameters without authentication or capability checks, allowing attackers to create administrator accounts or modify critical settings. The vulnerability can be exploited even if the plugin is deactivated as it's a standalone script.
Template:
id: CVE-2021-4374
info:
name: WordPress Automatic Plugin - Unauthenticated Options Change
author: intelligent-ears
severity: critical
description: |
WordPress Automatic Plugin (versions 3.53.2 and below) contains a critical vulnerability
No writeups or analysis indexed.
https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/d0567dc8-7a4c-42f4-bf45-f31a8efaa354?source=cvehttps://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/d0567dc8-7a4c-42f4-bf45-f31a8efaa354?source=cve
2023-06-07
Published
Exploited in the wild