Login Sign Up

CVE-2021-34628

8.8 HIGH
CSRF

📋 TL;DR

This Cross-Site Request Forgery (CSRF) vulnerability in the Admin Custom Login WordPress plugin allows attackers to trick authenticated administrators into executing malicious actions without their knowledge. Attackers can inject arbitrary web scripts through the login background save functionality, potentially compromising WordPress sites. All WordPress installations using Admin Custom Login plugin versions up to 3.2.7 are affected.

💻 Affected Systems

Products:
  • Admin Custom Login WordPress Plugin
Versions: All versions up to and including 3.2.7
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress administrator to be tricked into visiting a malicious page while authenticated.

📦 What is this software?

Admin Custom Login by Weblizar

View all CVEs affecting Admin Custom Login →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through script injection leading to backdoor installation, credential theft, or malware distribution to visitors.

🟠

Likely Case

Unauthorized script injection modifying login pages, redirecting users to malicious sites, or stealing session cookies.

🟢

If Mitigated

Attack fails due to CSRF tokens or same-origin policy protections, with no impact on site functionality.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick authenticated administrators. CSRF attacks are well-understood and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.8 and later

Vendor Advisory: https://wordpress.org/plugins/admin-custom-login/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Admin Custom Login. 4. Click 'Update Now' if available. 5. Alternatively, delete and reinstall latest version from WordPress repository.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate admin-custom-login

Add CSRF Protection

all

Implement custom CSRF tokens in WordPress if plugin modification is possible.

🧯 If You Can't Patch

  • Restrict administrator access to trusted networks only
  • Implement web application firewall with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Admin Custom Login → Version. If version ≤ 3.2.7, vulnerable.

Check Version:

wp plugin get admin-custom-login --field=version

Verify Fix Applied:

Verify plugin version is 3.2.8 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin-ajax.php with action=loginbgSave
  • Multiple failed CSRF validation attempts

Network Indicators:

  • Cross-origin requests to WordPress admin endpoints from unexpected domains

SIEM Query:

source="wordpress.log" AND "action=loginbgSave" AND NOT referer="*wp-admin*"

📊 Metadata

CVE ID: CVE-2021-34628
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: August 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34628, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)