CVE-2021-24175: The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

id: CVE-2021-24175

info:
  name: The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
  author: pussycat0x
  severity: critical
  description: |
    The Plus Addons for Elementor plugin (before version 4.1.7) allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive.
  remediation: Fixed in 4.1.7
  reference:
    - https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89/
    - https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24175
    cwe-id: CWE-287
    epss-score: 0.802
    epss-percentile: 0.99082
    cpe: cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="/wp-content/plugins/the-plus-addons-for-elementor-page-builder/"
    vendor: posimyth
    product: the_plus_addons_for_elementor
    framework: wordpress
  tags: cve,cve2021,wordpress,wp-theme,wpscan,elementor,plus-addons,passive,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/the-plus-addons-for-elementor-page-builder/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'The Plus Addons for Elementor')"
          - "compare_versions(version, '< 4.1.7')"
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true
# digest: 4a0a00473045022100f655c163c4374e0474f5f3b81a63eae20dca96c3c8b794d5ae5296b80e78465e022054a1306f956db1392c1c40e2623a7566e6f40a8168fe124a8a5b99059782bd6a:922c64590222798bb761d5b6d8e72950