Login Sign Up

CVE-2021-24739

8.1 HIGH
Authentication Bypass

📋 TL;DR

The Logo Carousel WordPress plugin before version 3.4.2 contains an authorization bypass vulnerability that allows users with Contributor-level permissions to duplicate and view private posts created by other users. This affects WordPress sites using vulnerable versions of the plugin, potentially exposing sensitive content.

💻 Affected Systems

Products:
  • Logo Carousel WordPress Plugin
Versions: All versions before 3.4.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Logo Carousel plugin and at least one user with Contributor role or higher.

📦 What is this software?

Logo Carousel by Shapedplugin

View all CVEs affecting Logo Carousel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to confidential private posts, potentially exposing sensitive business information, unpublished content, or proprietary data.

🟠

Likely Case

Internal users with Contributor roles can view private posts they shouldn't have access to, violating content privacy controls.

🟢

If Mitigated

With proper role-based access controls and plugin updates, the risk is limited to authorized users only viewing content they're permitted to see.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with at least Contributor permissions. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.2

Vendor Advisory: https://wpscan.com/vulnerability/2afadc76-93ad-47e1-a224-e442ac41cbce

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Logo Carousel plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.4.2+ from WordPress repository and replace existing plugin files.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate logo-carousel

Role Restriction

all

Temporarily restrict Contributor role permissions or remove users from Contributor role

wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber

🧯 If You Can't Patch

  • Remove Contributor role from all users or restrict to trusted personnel only
  • Monitor user activity logs for unauthorized access to private posts

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin list --name=logo-carousel --field=version

Verify Fix Applied:

Confirm Logo Carousel plugin version is 3.4.2 or higher

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /wp-admin/admin-ajax.php with action=logo_carousel_duplicate
  • User with Contributor role accessing private post IDs

Network Indicators:

  • Unusual AJAX requests from Contributor-level users to duplicate endpoints

SIEM Query:

source="wordpress.log" AND "logo_carousel_duplicate" AND user_role="contributor"

📊 Metadata

CVE ID: CVE-2021-24739
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-639
Published: December 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24739, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)