CVE-2021-24175 – This critical vulnerability in the Plus Addons ... (How to Fix)

Q: What is the severity of CVE-2021-24175?

CVE-2021-24175 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in the Plus Addons for Elementor WordPress plugin allows unauthenticated attackers to bypass authentication completely. Attackers can log in as any user (including administrators) by providing only a username, and create accounts with arbitrary roles even when registration is disabled. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This critical vulnerability in the Plus Addons for Elementor WordPress plugin allows unauthenticated attackers to bypass authentication completely. Attackers can log in as any user (including administrators) by providing only a username, and create accounts with arbitrary roles even when registration is disabled. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Plus Addons for Elementor WordPress plugin

Versions: All versions before 4.1.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable regardless of whether registration is disabled or the Login widget is active. Affects all WordPress installations using the vulnerable plugin.

📦 What is this software?

The Plus Addons For Elementor by Posimyth

View all CVEs affecting The Plus Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover where attackers gain administrative access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.

🟠

Likely Case

Attackers gain administrative access to compromise the WordPress site, install malware, create backdoor accounts, and potentially pivot to other systems.

🟢

If Mitigated

If detected early, impact is limited to temporary site unavailability during cleanup and potential data exposure from the brief compromise period.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this vulnerability requires no authentication, making all vulnerable sites immediately exploitable from anywhere.

🏢 Internal Only: MEDIUM - Internal WordPress sites are still vulnerable but have reduced attack surface compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

This vulnerability was actively exploited in the wild as a zero-day before patches were available. Exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.7 and later

Vendor Advisory: https://posimyth.ticksy.com/ticket/2713734/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Plus Addons for Elementor'. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 4.1.7+ from WordPress.org and replace the plugin files.

🔧 Temporary Workarounds

Immediate Plugin Deactivation

all

Temporarily disable the vulnerable plugin to prevent exploitation while planning permanent fix.

wp plugin deactivate plus-addons-for-elementor

Web Application Firewall Rule

all

Block requests to vulnerable plugin endpoints using WAF rules.

Block requests containing '/wp-content/plugins/plus-addons-for-elementor/' in URI

🧯 If You Can't Patch

Immediately deactivate the Plus Addons for Elementor plugin via WordPress admin or command line
Implement strict network access controls to limit access to WordPress admin interface to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins, find 'Plus Addons for Elementor' and verify version is below 4.1.7

Check Version:

wp plugin get plus-addons-for-elementor --field=version

Verify Fix Applied:

Confirm plugin version is 4.1.7 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts with only username parameter
User creation events with admin roles from unauthenticated IPs
Multiple failed login attempts followed by successful admin login from same IP

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'plus' strings
Requests to plugin-specific endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND (post_data="*plus*" OR post_data="*elementor*")) AND http_status=200

📊 Metadata

CVE ID: CVE-2021-24175

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: April 5, 2021

Last Updated: November 21, 2024

🔗 References

https://posimyth.ticksy.com/ticket/2713734/ Broken Link
https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89 Exploit,Third Party Advisory
https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/ Third Party Advisory
https://posimyth.ticksy.com/ticket/2713734/ Broken Link
https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89 Exploit,Third Party Advisory
https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24175, you might also want to check these: