CVE-2021-4360

The Controlled Admin Access plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 1.5.5 by not properly restricting access to the configuration page. This makes it possible for attackers to create a new administrator role with unrestricted access.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-controlled-admin-access-plugin/	Exploit
https://plugins.svn.wordpress.org/controlled-admin-access/trunk/readme.txt	Release Notes
https://wpscan.com/vulnerability/5ddc0a9d-c081-4bef-aa87-3b10d037379c	Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/8c57211a-f59d-4379-b09e-7c6049a6b04d?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wpruby:controlled_admin_access:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2023-06-07 02:15

Updated : 2023-11-07 03:40

NVD link : CVE-2021-4360

Mitre link : CVE-2021-4360

CVE.ORG link : CVE-2021-4360

JSON object : View

Products Affected

wpruby

controlled_admin_access

CWE

NVD-CWE-noinfo

{"id": "CVE-2021-4360", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2023-06-07T02:15:14.293", "references": [{"url": "https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-controlled-admin-access-plugin/", "tags": ["Exploit"], "source": "security@wordfence.com"}, {"url": "https://plugins.svn.wordpress.org/controlled-admin-access/trunk/readme.txt", "tags": ["Release Notes"], "source": "security@wordfence.com"}, {"url": "https://wpscan.com/vulnerability/5ddc0a9d-c081-4bef-aa87-3b10d037379c", "tags": ["Exploit"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c57211a-f59d-4379-b09e-7c6049a6b04d?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The Controlled Admin Access plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 1.5.5 by not properly restricting access to the configuration page. This makes it possible for attackers to create a new administrator role with unrestricted access."}], "lastModified": "2023-11-07T03:40:46.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpruby:controlled_admin_access:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "B6FDF6FD-64C0-4EFD-8137-76072D0AB5A5", "versionEndIncluding": "1.5.5"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}