CVE-2021-24803
📋 TL;DR
The Core Tweaks WP Setup WordPress plugin through version 4.1 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to change the WordPress admin email or create new admin accounts without proper authentication. This affects all WordPress sites running the vulnerable plugin versions. Attackers can exploit this to take over websites by creating unauthorized administrator accounts.
💻 Affected Systems
- Core Tweaks WP Setup WordPress Plugin
📦 What is this software?
Core Tweaks Wp Setup by Core Tweaks Wp Setup Project
⚠️ Risk & Real-World Impact
Worst Case
Complete website takeover where attacker creates new admin account, changes admin email, locks out legitimate administrators, and gains full control over the WordPress installation.
Likely Case
Attacker creates hidden admin account, maintains persistent access, and can modify content, install malicious plugins, or steal sensitive data.
If Mitigated
With proper CSRF protection and security controls, the attack would fail, maintaining normal website operations.
🎯 Exploit Status
Exploitation requires tricking an authenticated admin into clicking a malicious link or visiting a compromised page. No authentication needed for the CSRF attack itself once admin is logged in.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.2 or later
Vendor Advisory: https://wpscan.com/vulnerability/97adac02-4163-48d4-ba14-0b1badfd3d42
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Core Tweaks WP Setup'. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Deactivate Vulnerable Plugin
allTemporarily disable the Core Tweaks WP Setup plugin until patched version is available
wp plugin deactivate core-tweaks-wp-setup
Implement CSRF Protection
allAdd WordPress nonce verification to plugin files if custom patching is possible
Add wp_nonce_field() and wp_verify_nonce() calls to plugin PHP files
🧯 If You Can't Patch
- Deactivate and remove the Core Tweaks WP Setup plugin completely
- Implement web application firewall (WAF) rules to block CSRF attacks targeting admin functions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Core Tweaks WP Setup' version 4.1 or earlierCheck Version:
wp plugin list --name='core-tweaks-wp-setup' --field=versionVerify Fix Applied:
Verify plugin version is 4.2 or later, or confirm plugin is not installed📡 Detection & Monitoring
Log Indicators:
- Unexpected admin user creation
- Admin email change events
- POST requests to /wp-admin/admin.php?page=core-tweaks-wp-setup without proper referrer
Network Indicators:
- CSRF attack patterns in web traffic
- Unauthorized admin account creation requests
SIEM Query:
source="wordpress.log" AND ("new user created" OR "email changed") AND user_role="administrator"