CVE-2021-4374

CRITICAL EXPLOITED NUCLEI

WordPress Automatic <3.53.2 - Info Disclosure

Title source: llm

Description

The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.

Exploits (1)

metasploit WORKING POC

by h00die, Jerome Bruandet · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Automatic Plugin - Unauthenticated Options Change

CRITICALVERIFIEDby intelligent-ears

Shodan: http.html:"wp-content/plugins/wp-automatic/"

FOFA: wp-content/plugins/wp-automatic/

References (2)

[Exploit] https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/d0567dc8-7a4c-42f4-bf45-f31a8efaa354?source=cve

Scores

CVSS v3 9.1

EPSS 0.7223

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Exploitation Intel

VulnCheck KEV 2021-09-06

Classification

CWE

CWE-862

Status published

Affected Products (1)

valvepress/wordpress_automatic_plugin < 3.53.2

Timeline

Published Jun 07, 2023

Tracked Since Feb 18, 2026