Login Sign Up

CVE-2021-37597

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-37597 is an authentication bypass vulnerability in WP Cerber security plugin for WordPress that allows attackers to bypass multi-factor authentication (MFA) by manipulating the wordpress_logged_in_[hash] cookie. This affects WordPress sites using WP Cerber versions before 8.9.3 for authentication security.

💻 Affected Systems

Products:
  • WP Cerber Security, Anti-spam & Malware Scan
Versions: All versions before 8.9.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with WP Cerber plugin enabled and using its MFA features.

📦 What is this software?

Wp Cerber by Wpcerber

View all CVEs affecting Wp Cerber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise allowing attackers to gain administrative access, install backdoors, steal sensitive data, and deface or take down the website.

🟠

Likely Case

Unauthorized access to user accounts, privilege escalation, and potential data exfiltration from compromised accounts.

🟢

If Mitigated

Limited impact with proper network segmentation, strong monitoring, and additional authentication layers beyond WP Cerber.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid user credentials but bypasses MFA requirements. Attackers need to manipulate authentication cookies after initial login.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.9.3 and later

Vendor Advisory: https://wpcerber.com/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Cerber Security plugin. 4. Click 'Update Now' if update available. 5. If no update shows, download version 8.9.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable WP Cerber MFA

all

Temporarily disable WP Cerber's MFA functionality while maintaining other security features

Implement Web Application Firewall Rules

all

Block suspicious cookie manipulation attempts at the WAF level

🧯 If You Can't Patch

  • Implement additional authentication layer (e.g., web server authentication, IP whitelisting)
  • Monitor for unusual authentication patterns and cookie manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check WP Cerber plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin list --name=wp-cerber --field=version

Verify Fix Applied:

Verify WP Cerber version is 8.9.3 or higher and test MFA functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed MFA attempts followed by successful login with manipulated cookies
  • Unusual user agent patterns during authentication

Network Indicators:

  • HTTP requests with manipulated wordpress_logged_in_* cookies
  • Authentication requests bypassing expected MFA flow

SIEM Query:

source="wordpress.log" AND ("wp-cerber" OR "authentication") AND ("cookie" OR "wordpress_logged_in") AND status=200

📊 Metadata

CVE ID: CVE-2021-37597
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: August 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37597, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)