CVE-2021-24527
Profile Builder < 3.4.9 - Admin Access via Password Reset
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
El plugin de WordPress Profile Builder de User Registration & User Profile versiones anteriores a 3.4.9, presenta un bug, permitiendo a cualquier usuario restablecer la contraseña del administrador del blog, y conseguir un acceso no autorizado, debido a una omisión en la manera en que se comprueba la clave de restablecimiento. Además, el administrador no será notificado de dicho cambio por correo electrónico, por ejemplo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-14 CVE Reserved
- 2021-07-19 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-12-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/c142e738-bc4b-4058-a03e-1be6fca47207 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cozmoslabs Search vendor "Cozmoslabs" | Profile Builder Search vendor "Cozmoslabs" for product "Profile Builder" | < 3.4.9 Search vendor "Cozmoslabs" for product "Profile Builder" and version " < 3.4.9" | wordpress |
Affected
| ||||||