Social Sharing Plugin – Kiwi 2.1.0 – Unauthenticated Arbitrary WordPress Options Update and Read | CVE 2021-4362 | Plugin Vulnerabilities

Description

The plugin re-introduced an issue in v2.1.0, allowing unauthenticated attacker to update and read arbitrary WordPress options. This could allow them to create admin accounts by enabling registration and setting the user default role to administrator, or to modify the value of siteurl in order to redirect all traffic to an external malicious website

Affects Plugins

kiwi-social-share

Fixed in 2.1.3

References

CVE

URL

https://blog.nintechnet.com/wordpress-kiwi-social-sharing-plugin-fixed-critical-vulnerability/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jerome Bruandet (nintechnet)

Verified

Yes

WPVDB ID

5c65ba36-b6cb-4982-977a-0fbce8812ad3

Timeline

Publicly Published

2021-06-04 (about 4 years ago)

Added

2021-06-04 (about 4 years ago)

Last Updated

2026-05-04 (about 9 days ago)

Other

Published

Title

Published

2021-04-06

Title

WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update

Published

2024-03-20

Title

WooCommerce Cloak Affiliate Links < 1.0.34 - Missing Authorization to Unauthenticated Permalink Modification

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated WordPress Options Change

Published

2024-01-30

Title

Starbox < 3.4.8 - Subscriber+ Plugin Preferences / User Settings Access via IDOR

Published

2021-04-17

Title

WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication