CVE-2021-24191
📋 TL;DR
This vulnerability allows low-privileged WordPress users (subscriber/contributor level) to install and activate arbitrary plugins from the WordPress repository. Attackers can exploit this to install vulnerable plugins that could lead to remote code execution. All WordPress sites using the WP Maintenance Mode plugin before version 1.8.2 are affected.
💻 Affected Systems
- WP Maintenance Mode & Site Under Construction WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the WordPress site through plugin installation leading to remote code execution, data theft, and complete system compromise.
Likely Case
Attackers install malicious plugins to establish persistence, steal data, or use the site for phishing/malware distribution.
If Mitigated
With proper user role management and security plugins, impact is limited to unauthorized plugin installations that can be detected and removed.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access. Public exploit code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.2
Vendor Advisory: https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'WP Maintenance Mode & Site Under Construction'. 4. Click 'Update Now' or manually update to version 1.8.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable cp_plugins_do_button_job_later_callback AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_cp_plugins_do_button_job_later_callback', 'cp_plugins_do_button_job_later_callback');
Restrict user capabilities
allRemove install_plugins and activate_plugins capabilities from low-privileged roles
Add to theme's functions.php: remove_cap('subscriber', 'install_plugins'); remove_cap('contributor', 'install_plugins');
🧯 If You Can't Patch
- Disable the WP Maintenance Mode plugin entirely until patched
- Implement strict user role management and monitor for unauthorized plugin installations
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP Maintenance Mode version. If version is below 1.8.2, the site is vulnerable.Check Version:
wp plugin list --name="WP Maintenance Mode" --field=versionVerify Fix Applied:
Verify plugin version is 1.8.2 or higher in WordPress admin panel. Test that low-privileged users cannot install or activate plugins.📡 Detection & Monitoring
Log Indicators:
- WordPress logs showing plugin installations/activations by non-admin users
- Apache/Nginx logs with POST requests to /wp-admin/admin-ajax.php with action=cp_plugins_do_button_job_later_callback
Network Indicators:
- Unusual outbound connections after plugin installation
- Traffic to WordPress plugin repository from non-admin IPs
SIEM Query:
source="wordpress.log" AND ("plugin installed" OR "plugin activated") AND user_role!="administrator"