CVE-2021-24191
HIGHWP Maintenance Mode < 1.8.2 - Unauthenticated Plugin Installation/Activation
Title source: llmDescription
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c
Scores
CVSS v3
8.8
EPSS
0.0131
EPSS Percentile
66.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-285
Status
published
Products (1)
wpshopmart/coming_soon_page_\&_maintenance_mode
< 1.8.2
Published
May 14, 2021
Tracked Since
Feb 18, 2026