cbcvebase.
CVE-2021-4380
published 2023-06-07

CVE-2021-4380: The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.53%
90.4th percentile
The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.

Affected

2 ranges
VendorProductVersion rangeFixed in
valvepresspinterest_automatic<= 4.14.3
valvepresspinterest_automatic_pin< 4.14.44.14.4

Detection & IOCsextracted from sources · hover to see the quote

url/?wp_pinterest_automatic=settings
path/process_form.php
  • Detect unauthenticated POST requests to /?wp_pinterest_automatic=settings, which abuses the missing capability check on wp_pinterest_automatic_parse_request to update arbitrary WordPress options.
  • A successful exploit returns HTTP 200 with an empty body (len(body)==0), followed by the modified option value being reflected on the site homepage.
  • Monitor for unauthenticated requests to process_form.php in the Pinterest Automatic plugin, which also lacks capability checks and can be used to update arbitrary options.
  • Watch for arbitrary WordPress option updates (e.g., blogdescription) via unauthenticated POST requests — a sign of privilege escalation or admin account creation attempts.
  • Content-Type: application/x-www-form-urlencoded is used in the exploit POST request; correlate with the wp_pinterest_automatic query parameter to identify exploitation attempts.
  • ·The vulnerability affects Pinterest Automatic plugin versions up to and including 1.14.3; ensure version detection is part of your asset inventory checks.
  • ·Both the wp_pinterest_automatic_parse_request function and the process_form.php script are independently exploitable attack surfaces due to missing capability checks — both must be patched/monitored.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.