CVE-2021-24244

MEDIUM

WPBakery Page Builder Clipboard 4.5.0-4.5.8 - Incorrect Authorization via AJAX License Update

Title source: llm
STIX 2.1

Description

An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email).

References (2)

Core 2
Core References
Product, Third Party Advisory x_refsource_misc
https://codecanyon.net/item/visual-composer-clipboard/8897711
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/354b98d8-46a1-4189-b347-198701ea59b9

Scores

CVSS v3 6.5
EPSS 0.0094
EPSS Percentile 56.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-863
Status published
Products (1)
wpbakery_page_builder_clipboard_project/wpbakery_page_builder_clipboard 4.5.0 - 4.5.8
Published May 06, 2021
Tracked Since Feb 18, 2026