Login Sign Up

CVE-2021-42364

8.8 HIGH
CSRF

📋 TL;DR

This vulnerability in the Stetic WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks due to missing nonce validation. Attackers can inject arbitrary web scripts when users with administrative privileges visit specially crafted pages. WordPress sites using vulnerable versions of the Stetic plugin are affected.

💻 Affected Systems

Products:
  • Stetic WordPress Plugin
Versions: Versions up to and including 1.0.6
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the plugin to be installed and activated. Administrative privileges are needed for the vulnerable stats_page function to be accessible.

📦 What is this software?

Stetic by Stetic

View all CVEs affecting Stetic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious scripts that compromise the entire WordPress site, steal administrator credentials, deface the website, or install backdoors for persistent access.

🟠

Likely Case

Attackers trick administrators into executing actions that inject malicious JavaScript, potentially leading to session hijacking, data theft, or unauthorized content changes.

🟢

If Mitigated

With proper CSRF protections and input validation, the attack would fail, preventing script injection and maintaining site integrity.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting a compromised page. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.0.7 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/stetic/trunk/stetic.php#L129

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Stetic plugin and update to version 1.0.7 or later. 4. If update not available, deactivate and delete the plugin.

🔧 Temporary Workarounds

Disable Stetic Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate stetic

Implement CSRF Protection

all

Add nonce validation manually to the stats_page function in stetic.php

🧯 If You Can't Patch

  • Restrict administrative access to trusted networks only
  • Implement web application firewall (WAF) rules to block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Stetic version 1.0.6 or earlier

Check Version:

wp plugin get stetic --field=version

Verify Fix Applied:

Verify Stetic plugin version is 1.0.7 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin.php?page=stetic-stats
  • Multiple failed nonce validation attempts

Network Indicators:

  • Suspicious outbound connections from WordPress site after admin visits
  • Unexpected JavaScript injections in page responses

SIEM Query:

source="wordpress.log" AND ("stetic" OR "admin.php?page=stetic-stats") AND status=200

📊 Metadata

CVE ID: CVE-2021-42364
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: November 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42364, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)