CVE-2021-24193 – This vulnerability allows low-privileged users ... (How to Fix)

Q: What is the severity of CVE-2021-24193?

CVE-2021-24193 has a CVSS score of 8.8 (HIGH). This vulnerability allows low-privileged users in WordPress to install and activate arbitrary plugins from the official repository via an AJAX endpoint. Attackers can exploit this to install vulnerable plugins, potentially leading to remote code execution. WordPress sites running Visitor Traffic Real Time Statistics plugin versions before 2.12 are affected.

📋 TL;DR

This vulnerability allows low-privileged users in WordPress to install and activate arbitrary plugins from the official repository via an AJAX endpoint. Attackers can exploit this to install vulnerable plugins, potentially leading to remote code execution. WordPress sites running Visitor Traffic Real Time Statistics plugin versions before 2.12 are affected.

💻 Affected Systems

Products:

Visitor Traffic Real Time Statistics WordPress Plugin

Versions: All versions before 2.12

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires at least low-privileged user account (subscriber or higher) to exploit.

📦 What is this software?

Visitor Traffic Real Time Statistics by Wp Buy

View all CVEs affecting Visitor Traffic Real Time Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of the WordPress site through plugin installation leading to remote code execution, data theft, and complete system compromise.

🟠

Likely Case

Attackers install vulnerable or malicious plugins to establish persistence, escalate privileges, or deploy backdoors for further attacks.

🟢

If Mitigated

With proper access controls and monitoring, unauthorized plugin installations are blocked and logged for investigation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated low-privileged user access. Public proof-of-concept available via WPScan.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12

Vendor Advisory: https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Visitor Traffic Real Time Statistics' plugin. 4. Click 'Update Now' if available, or manually update to version 2.12+. 5. Verify plugin version after update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the vulnerable cp_plugins_do_button_job_later_callback AJAX action

Add to theme's functions.php or custom plugin: remove_action('wp_ajax_cp_plugins_do_button_job_later_callback', 'callback_function_name');

Restrict user capabilities

all

Limit low-privileged users from accessing plugin installation/activation functions

Use WordPress role management plugins or custom code to remove 'install_plugins' and 'activate_plugins' capabilities from low-privileged roles

🧯 If You Can't Patch

Disable or remove the Visitor Traffic Real Time Statistics plugin entirely
Implement strict access controls and monitor for unusual plugin installation activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'Visitor Traffic Real Time Statistics' version. If version is below 2.12, system is vulnerable.

Check Version:

wp plugin list --name='Visitor Traffic Real Time Statistics' --field=version (if WP-CLI installed)

Verify Fix Applied:

Confirm plugin version is 2.12 or higher in WordPress admin panel. Test that low-privileged users cannot install/activate plugins via AJAX requests.

📡 Detection & Monitoring

Log Indicators:

Unusual plugin installation events from non-admin users
AJAX requests to cp_plugins_do_button_job_later_callback endpoint
Multiple plugin activation attempts from single user

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=cp_plugins_do_button_job_later_callback
Unusual outbound connections after plugin installations

SIEM Query:

source="wordpress.log" AND ("cp_plugins_do_button_job_later_callback" OR "plugin installed" OR "plugin activated") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2021-24193

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-285

Published: May 14, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c Exploit,Patch,Third Party Advisory
https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24193, you might also want to check these: