Arbitrary Options Updates in WordPress Automatic Plugin by WordPress
CVE-2021-4374

9.1CRITICAL

Key Information:

Vendor: Wordpress
Status: WordPress Automatic Plugin
Vendor: CVE Published:; 7 June 2023

Summary

The WordPress Automatic Plugin, specifically in versions up to 3.53.2, contains a vulnerability that allows unauthenticated attackers to perform arbitrary updates to options due to insufficient authorization checks and lack of option validation in the process_form.php file. This significant flaw enables attackers to alter critical settings of compromised sites, posing a grave risk of complete site takeover without needing authentication.

Affected Version(s)

WordPress Automatic Plugin * < 3.53.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://blog.nintechnet.com/critical-vulnerability-fixed-...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet