Login Sign Up

CVE-2021-24906

7.5 HIGH
Authentication Bypass

📋 TL;DR

The Protect WP Admin WordPress plugin before version 3.6.2 contains an authorization bypass vulnerability in the lib/pwa-deactivate.php file. Unauthenticated attackers can send crafted requests to disable the plugin, removing its security protections. This affects all WordPress sites running vulnerable versions of the plugin.

💻 Affected Systems

Products:
  • Protect WP Admin WordPress plugin
Versions: All versions before 3.6.2
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

Protect Wp Admin by Wp Experts

View all CVEs affecting Protect Wp Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers disable the plugin's security features, then exploit other vulnerabilities that were previously blocked, potentially leading to complete site compromise.

🟠

Likely Case

Attackers disable the plugin's protection, then perform unauthorized actions that the plugin was designed to prevent, such as accessing restricted admin areas.

🟢

If Mitigated

With proper network controls and monitoring, the impact is limited to temporary plugin disruption until detected and restored.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only a simple HTTP request to the vulnerable endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.2

Vendor Advisory: https://wpscan.com/vulnerability/4204682b-f657-42e1-941c-bee7a245e9fd

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Protect WP Admin plugin. 4. Update to version 3.6.2 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

all

Add web server rules to block access to the lib/pwa-deactivate.php file

# For Apache: add to .htaccess
<Files "pwa-deactivate.php">
    Order Allow,Deny
    Deny from all
</Files>
# For Nginx: add to server block
location ~* /lib/pwa-deactivate\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Disable or remove the Protect WP Admin plugin entirely
  • Implement network-level WAF rules to block requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Protect WP Admin version. If version is below 3.6.2, you are vulnerable.

Check Version:

# In WordPress admin panel, navigate to Plugins page and check Protect WP Admin version

Verify Fix Applied:

Confirm plugin version is 3.6.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /wp-content/plugins/protect-wp-admin/lib/pwa-deactivate.php
  • Plugin deactivation events in WordPress logs without admin authentication

Network Indicators:

  • POST/GET requests to pwa-deactivate.php endpoint from unauthenticated sources

SIEM Query:

source="web_server" AND (uri="*pwa-deactivate.php" OR message="*Protect WP Admin*deactivated*")

📊 Metadata

CVE ID: CVE-2021-24906
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-862
Published: January 24, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24906, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)