CVE-2021-24195
📋 TL;DR
This vulnerability allows low-privileged users in WordPress to install and activate arbitrary plugins from the official repository via an AJAX endpoint. Attackers can exploit this to install vulnerable plugins that could lead to remote code execution. All WordPress sites using the Login as User or Customer (User Switching) plugin before version 1.8 are affected.
💻 Affected Systems
- Login as User or Customer (User Switching) WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain remote code execution by installing vulnerable plugins, leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Attackers install malicious plugins to establish persistence, escalate privileges, or deploy backdoors for further attacks.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized plugin installations that can be detected and removed.
🎯 Exploit Status
Exploitation requires authenticated low-privileged user access. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8
Vendor Advisory: https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c
Restart Required: No
Instructions:
1. Update the Login as User or Customer plugin to version 1.8 or later via WordPress admin panel. 2. Verify the update completed successfully. 3. Test user switching functionality remains operational.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the cp_plugins_do_button_job_later_callback AJAX action
Add to theme functions.php or custom plugin: remove_action('wp_ajax_cp_plugins_do_button_job_later_callback', 'callback_function');
Restrict plugin installation capabilities
allUse WordPress capabilities management to prevent low-privileged users from installing plugins
Use plugin like User Role Editor to remove 'install_plugins' and 'activate_plugins' capabilities from low-privileged roles
🧯 If You Can't Patch
- Disable the Login as User or Customer plugin entirely
- Implement strict access controls and monitor for suspicious plugin installation activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Login as User or Customer. If version is below 1.8, the site is vulnerable.Check Version:
wp plugin get 'login-as-user-or-customer' --field=versionVerify Fix Applied:
Confirm plugin version is 1.8 or higher in WordPress admin panel and test that low-privileged users cannot install plugins.📡 Detection & Monitoring
Log Indicators:
- WordPress logs showing plugin installations by non-admin users
- AJAX requests to cp_plugins_do_button_job_later_callback endpoint
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=cp_plugins_do_button_job_later_callback
SIEM Query:
source="wordpress" AND (url_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND form_data.action="cp_plugins_do_button_job_later_callback")