CVE-2021-24189
📋 TL;DR
This vulnerability allows low-privileged WordPress users (like subscribers or contributors) to install and activate arbitrary plugins from the official WordPress repository. Attackers can exploit this to install vulnerable plugins that could lead to remote code execution. It affects WordPress sites using the Captchinoo plugin before version 2.4.
💻 Affected Systems
- Captchinoo, Google recaptcha for admin login page WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the WordPress site through plugin installation leading to remote code execution, potentially compromising the entire server.
Likely Case
Attackers install malicious plugins to establish persistence, steal data, or create backdoors for further exploitation.
If Mitigated
With proper user role management and monitoring, impact is limited to unauthorized plugin installations that can be detected and removed.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4
Vendor Advisory: https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Captchinoo' plugin. 4. Click 'Update Now' if available, or delete and reinstall version 2.4+ from repository.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable AJAX action in WordPress functions
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_cp_plugins_do_button_job_later_callback', 'callback_function_name');
Restrict user capabilities
allTemporarily remove plugin installation capabilities from low-privileged roles
Use WordPress role editor plugin or add to functions.php: remove_cap('subscriber', 'install_plugins'); remove_cap('contributor', 'install_plugins');
🧯 If You Can't Patch
- Immediately disable the Captchinoo plugin completely
- Implement strict user role management and audit all low-privileged accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Captchinoo version. If version is below 2.4, site is vulnerable.Check Version:
wp plugin list --name=captchinoo --field=version (WP-CLI) or check WordPress admin plugins pageVerify Fix Applied:
Confirm Captchinoo plugin version is 2.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual plugin installation events
- AJAX requests to 'cp_plugins_do_button_job_later_callback' from low-privileged users
- Multiple plugin activation events in short time
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=cp_plugins_do_button_job_later_callback
SIEM Query:
source="wordpress.log" AND ("cp_plugins_do_button_job_later_callback" OR "plugin installed" OR "plugin activated") AND user_role IN ("subscriber", "contributor")