Login Sign Up

CVE-2021-24215

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to access WordPress admin customization and settings pages through the Controlled Admin Access plugin. Attackers can modify site settings and potentially take full control of the WordPress installation. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • WordPress Controlled Admin Access Plugin
Versions: All versions before 1.5.2
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the Controlled Admin Access plugin installed and activated.

📦 What is this software?

Controlled Admin Access by Wpruby

View all CVEs affecting Controlled Admin Access →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the WordPress site including defacement, data theft, malware injection, and server takeover.

🟠

Likely Case

Unauthorized modification of site settings, theme customization, plugin installation, and administrative privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation and web application firewalls blocking unauthorized admin access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires direct access to vulnerable endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.2

Vendor Advisory: https://wordpress.org/plugins/controlled-admin-access/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Controlled Admin Access plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.5.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate controlled-admin-access

Block Vulnerable Endpoints

linux

Use web application firewall or .htaccess to block access to vulnerable paths

RewriteEngine On
RewriteRule ^wp-admin/(customization\.php|options\.php)$ - [F,L]

🧯 If You Can't Patch

  • Remove the Controlled Admin Access plugin completely
  • Implement strict IP-based access controls to WordPress admin area

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Controlled Admin Access version number

Check Version:

wp plugin get controlled-admin-access --field=version

Verify Fix Applied:

Verify plugin version is 1.5.2 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access to /wp-admin/customization.php
  • Unauthorized access to /wp-admin/options.php
  • Multiple failed admin access attempts

Network Indicators:

  • HTTP requests to vulnerable endpoints without authentication
  • Unusual POST requests to admin settings pages

SIEM Query:

source="web_access.log" AND (uri="/wp-admin/customization.php" OR uri="/wp-admin/options.php") AND status=200 AND NOT user_agent="WordPress/*"

📊 Metadata

CVE ID: CVE-2021-24215
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: April 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24215, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)