CVE-2021-24359 - OpenCVE

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Posimyth	The Plus Addons For Elementor

Configuration 1 [-]

cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://theplusaddons.com/changelog/	Release Notes Vendor Advisory
https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2021-06-14T13:37:14

Updated: 2021-06-14T13:37:14

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24359

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-06-14T14:15:08.997

Modified: 2022-10-25T23:43:21.477

Link: CVE-2021-24359

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "The Plus Addons for Elementor Page Builder", "vendor": "Unknown", "versions": [{"lessThan": "4.1.11", "status": "affected", "version": "4.1.11", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Nicolas Vidal from TEHTRIS"}], "descriptions": [{"lang": "en", "value": "The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-14T13:37:14", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://theplusaddons.com/changelog/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92"}], "source": {"discovery": "UNKNOWN"}, "title": "The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24359", "STATE": "PUBLIC", "TITLE": "The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "The Plus Addons for Elementor Page Builder", "version": {"version_data": [{"version_affected": "<", "version_name": "4.1.11", "version_value": "4.1.11"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Nicolas Vidal from TEHTRIS"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://theplusaddons.com/changelog/", "refsource": "MISC", "url": "https://theplusaddons.com/changelog/"}, {"name": "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24359", "datePublished": "2021-06-14T13:37:14", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2021-06-14T13:37:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "841AB0A9-225A-4B3E-A9C3-63E60B304CB0", "versionEndExcluding": "4.1.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover."}, {"lang": "es", "value": "El WordPress Plus Addons para Elementor Page Builder versiones anteriores a 4.1.11, no comprobaba apropiadamente que un usuario que ped\u00eda el restablecimiento de la contrase\u00f1a era el usuario leg\u00edtimo, permitiendo a un atacante enviar un correo electr\u00f3nico de restablecimiento de contrase\u00f1a arbitrario a un usuario registrado en nombre del sitio de WordPress. Este problema podr\u00eda ser encadenado con un redireccionamiento abierto (CVE-2021-24358) en la versi\u00f3n por debajo de 4.1.10, para incluir un enlace de restablecimiento de contrase\u00f1a dise\u00f1ado en el correo electr\u00f3nico, que podr\u00eda conllevar a una toma de control de la cuenta"}], "id": "CVE-2021-24359", "lastModified": "2022-10-25T23:43:21.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-14T14:15:08.997", "references": [{"source": "contact@wpscan.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://theplusaddons.com/changelog/"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/486b82d1-30d4-44d2-9542-f33e3f149e92"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "contact@wpscan.com", "type": "Secondary"}]}