CVE-2021-24581 – This vulnerability in the Blue Admin WordPress ... (How to Fix)

Q: What is the severity of CVE-2021-24581?

CVE-2021-24581 has a CVSS score of 8.8 (HIGH). This vulnerability in the Blue Admin WordPress plugin allows attackers to inject malicious scripts into the 'Logo Title' setting, which then executes when users view affected pages. Attackers can exploit this via Cross-Site Request Forgery (CSRF) since the plugin lacks CSRF protection. WordPress sites using vulnerable versions of Blue Admin are affected.

📋 TL;DR

This vulnerability in the Blue Admin WordPress plugin allows attackers to inject malicious scripts into the 'Logo Title' setting, which then executes when users view affected pages. Attackers can exploit this via Cross-Site Request Forgery (CSRF) since the plugin lacks CSRF protection. WordPress sites using vulnerable versions of Blue Admin are affected.

💻 Affected Systems

Products:

Blue Admin WordPress Plugin

Versions: through 21.06.01

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with Blue Admin plugin enabled are vulnerable. The vulnerability requires an attacker to trick an administrator into visiting a malicious page (CSRF) or have some level of access to modify plugin settings.

📦 What is this software?

Blue Admin by Blue Admin Project

View all CVEs affecting Blue Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, redirect users to malicious sites, deface websites, or perform actions as authenticated users, potentially leading to complete site compromise.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, perform unauthorized actions, or redirect users to phishing sites.

🟢

If Mitigated

With proper input validation, output encoding, and CSRF tokens, the vulnerability would be prevented entirely.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an administrator into performing an action (CSRF) or having some level of access. The XSS payload executes in the context of users viewing the affected page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.06.02 or later

Vendor Advisory: https://wpscan.com/vulnerability/75abd073-b45f-4fe6-8501-7a6d0163f78d

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Blue Admin plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Blue Admin Plugin

linux

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate blue-admin

Implement WAF Rules

all

Add web application firewall rules to block XSS payloads in POST requests to admin-ajax.php or plugin settings pages

🧯 If You Can't Patch

Remove Blue Admin plugin entirely if not needed
Implement strict Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Blue Admin version. If version is 21.06.01 or earlier, you are vulnerable.

Check Version:

wp plugin get blue-admin --field=version

Verify Fix Applied:

After updating, verify Blue Admin version is 21.06.02 or later in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

POST requests to admin-ajax.php with suspicious script tags in parameters
Unusual modifications to Blue Admin plugin settings

Network Indicators:

HTTP requests containing script tags or JavaScript in POST parameters to WordPress admin endpoints

SIEM Query:

source="wordpress.log" AND ("admin-ajax.php" OR "blue-admin") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2021-24581

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: August 30, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/75abd073-b45f-4fe6-8501-7a6d0163f78d Exploit,Third Party Advisory
https://wpscan.com/vulnerability/75abd073-b45f-4fe6-8501-7a6d0163f78d Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24581, you might also want to check these: