CVE-2021-24916 – The Qubely WordPress plugin before version 1.8.... (How to Fix)

Q: What is the severity of CVE-2021-24916?

CVE-2021-24916 has a CVSS score of 7.5 (HIGH). The Qubely WordPress plugin before version 1.8.6 contains an unauthenticated email injection vulnerability. Unauthenticated attackers can send arbitrary emails to any recipient address via the qubely_send_form_data AJAX action. This affects all WordPress sites running vulnerable versions of the Qubely plugin.

📋 TL;DR

The Qubely WordPress plugin before version 1.8.6 contains an unauthenticated email injection vulnerability. Unauthenticated attackers can send arbitrary emails to any recipient address via the qubely_send_form_data AJAX action. This affects all WordPress sites running vulnerable versions of the Qubely plugin.

💻 Affected Systems

Products:

Qubely WordPress Plugin

Versions: All versions before 1.8.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Qubely plugin to be installed and activated on a WordPress site.

📦 What is this software?

Qubely by Themeum

View all CVEs affecting Qubely →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could send phishing emails, spam, or malicious content appearing to originate from the legitimate site, potentially damaging reputation and enabling further social engineering attacks.

🟠

Likely Case

Spam campaigns, phishing attempts, or email harassment using the vulnerable site's email infrastructure.

🟢

If Mitigated

Limited to email system abuse without direct access to sensitive data or system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request to the vulnerable AJAX endpoint with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.6

Vendor Advisory: https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Qubely plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.8.6+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Qubely Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate qubely

Restrict AJAX Access

linux

Block unauthenticated access to admin-ajax.php for Qubely endpoints via web application firewall or .htaccess.

# Add to .htaccess:
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=qubely_send_form_data
RewriteRule ^ - [F]

🧯 If You Can't Patch

Implement rate limiting on admin-ajax.php endpoints
Deploy web application firewall rules to block malicious POST requests to qubely_send_form_data

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Qubely version. If version is below 1.8.6, site is vulnerable.

Check Version:

wp plugin get qubely --field=version

Verify Fix Applied:

Confirm Qubely plugin version is 1.8.6 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with 'action=qubely_send_form_data' from unauthenticated users
Unusual email sending activity from WordPress site

Network Indicators:

HTTP POST requests to admin-ajax.php with qubely_send_form_data parameter from external IPs

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND query="*action=qubely_send_form_data*"

📊 Metadata

CVE ID: CVE-2021-24916

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: August 7, 2023

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON