CVE-2021-24922 – This vulnerability in the Pixel Cat WordPress p... (How to Fix)

Q: What is the severity of CVE-2021-24922?

CVE-2021-24922 has a CVSS score of 9.0 (CRITICAL). This vulnerability in the Pixel Cat WordPress plugin allows attackers to trick logged-in administrators into changing plugin settings without their consent. Attackers can inject malicious scripts that execute in administrators' browsers, potentially compromising the WordPress site. Only WordPress sites using vulnerable versions of Pixel Cat plugin are affected.

📋 TL;DR

This vulnerability in the Pixel Cat WordPress plugin allows attackers to trick logged-in administrators into changing plugin settings without their consent. Attackers can inject malicious scripts that execute in administrators' browsers, potentially compromising the WordPress site. Only WordPress sites using vulnerable versions of Pixel Cat plugin are affected.

💻 Affected Systems

Products:

Pixel Cat WordPress Plugin

Versions: All versions before 2.6.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Pixel Cat plugin installed and at least one administrator account.

📦 What is this software?

Pixel Cat by Fatcatapps

View all CVEs affecting Pixel Cat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains administrative access to WordPress site, installs backdoors, steals sensitive data, or takes complete control of the website.

🟠

Likely Case

Attacker injects malicious JavaScript that steals administrator session cookies, redirects users to malicious sites, or defaces the website.

🟢

If Mitigated

With proper CSRF protection and input validation, the attack fails and no unauthorized changes occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking a logged-in administrator to click a malicious link or visit a crafted page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.2

Vendor Advisory: https://wpscan.com/vulnerability/399ffd65-f3c0-4fbe-a83a-2a620976aad2

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Pixel Cat plugin. 4. Click 'Update Now' if available, or download version 2.6.2+ from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable Pixel Cat Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate pixel-cat

Implement CSRF Protection

all

Add CSRF tokens to plugin settings forms via custom code or security plugin.

🧯 If You Can't Patch

Restrict administrator access to trusted networks only.
Implement web application firewall (WAF) rules to block CSRF attacks.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Pixel Cat version. If version is below 2.6.2, system is vulnerable.

Check Version:

wp plugin get pixel-cat --field=version

Verify Fix Applied:

Confirm Pixel Cat plugin version is 2.6.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin.php?page=pixel-cat
Administrator account making unexpected plugin setting changes

Network Indicators:

HTTP requests with suspicious parameters to plugin settings endpoint

SIEM Query:

source="wordpress.log" AND (uri="/wp-admin/admin.php" AND query="page=pixel-cat")

📊 Metadata

CVE ID: CVE-2021-24922

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-352

Published: December 13, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/399ffd65-f3c0-4fbe-a83a-2a620976aad2 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/399ffd65-f3c0-4fbe-a83a-2a620976aad2 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24922, you might also want to check these: