CVE-2021-4380

CRITICAL EXPLOITED NUCLEI

Pinterest Automatic <1.14.3 - Auth Bypass

Title source: llm

Exploitation Summary

CVE-2021-4380 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for multiple CVEs, including CVE-2021-4380, which involves an authorization bypass in the Pinterest Automatic WordPress plugin. The PoCs demonstrate how unauthenticated attackers can update arbitrary options, potentially leading to administrative account creation or redirection attacks.

Description

The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2021/CVE-2021-4380.md

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including CVE-2021-4380, which involves an authorization bypass in the Pinterest Automatic WordPress plugin. The PoCs demonstrate how unauthenticated attackers can update arbitrary options, potentially leading to administrative account creation or redirection attacks.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Pinterest Automatic WordPress plugin (versions up to and including 1.14.3)

No auth needed

Prerequisites: Access to the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update

CRITICALVERIFIEDby s4e-io

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-pinterest-automatic-plugin/

Third Party Advisory

https://wpscan.com/vulnerability/ffd344fd-de2c-4f27-8932-41aa0a3c3d05

Third Party Advisory

https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-pinterest-automatic-pin-security-bypass-4-14-3/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e4fdc902-4cfe-4116-a294-9a0fcb2de346?source=cve

Scores

CVSS v3 9.8

EPSS 0.0453

EPSS Percentile 90.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2021-09-06

CWE

CWE-284

Status published

Products (2)

ValvePress/Pinterest Automatic < 4.14.3

valvepress/pinterest_automatic_pin < 4.14.4

Published Jun 07, 2023

Tracked Since Feb 18, 2026