Login Sign Up

CVE-2021-36888

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to modify WordPress options, potentially leading to full website compromise. It affects WordPress sites using the Image Hover Effects Ultimate plugin version 9.6.1 or earlier. Attackers can exploit this without any authentication.

💻 Affected Systems

Products:
  • WordPress Image Hover Effects Ultimate plugin
Versions: <= 9.6.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the vulnerable plugin active.

📦 What is this software?

Image Hover Effects by Blocksera

View all CVEs affecting Image Hover Effects →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website takeover, data theft, malware injection, and server compromise.

🟠

Likely Case

Website defacement, admin account creation, backdoor installation, and SEO spam injection.

🟢

If Mitigated

Limited impact if proper network segmentation and WAF rules block exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST requests can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.6.2

Vendor Advisory: https://wordpress.org/plugins/image-hover-effects-ultimate/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Image Hover Effects Ultimate'. 4. Click 'Update Now' or manually update to version 9.6.2+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Image Hover Effects Ultimate plugin until patched.

wp plugin deactivate image-hover-effects-ultimate

WAF rule blocking

all

Block requests to vulnerable plugin endpoints via web application firewall.

🧯 If You Can't Patch

  • Remove the plugin completely if not essential
  • Implement strict network access controls to limit exposure

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Image Hover Effects Ultimate version number.

Check Version:

wp plugin get image-hover-effects-ultimate --field=version

Verify Fix Applied:

Confirm plugin version is 9.6.2 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin-ajax.php with action=iheu_ajax_action
  • Unauthenticated admin option modifications

Network Indicators:

  • HTTP POST to vulnerable plugin endpoints from unexpected sources

SIEM Query:

source="web_server" AND (uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="iheu_ajax_action")

📊 Metadata

CVE ID: CVE-2021-36888
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: December 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36888, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)