Vulnerability DatabaseCVE-2021-24175

CVE-2021-24175:
WordPress vulnerability analysis and mitigation

Overview

The Plus Addons for Elementor Page Builder WordPress plugin versions before 4.1.7 contained a critical authentication bypass vulnerability (CVE-2021-24175) that was discovered in March 2021. The vulnerability was initially reported as a zero-day bug under active exploitation, affecting over 30,000 active installations. The issue was first discovered by Seravo on March 6th, 2021, and independently reported by WP Charged who observed active attacks beginning March 5th, 2021 (WPScan).

Technical details

The vulnerability (CVE-2021-24175) is a privilege-escalation and authentication-bypass issue that exists in the registration form function of the Plus Addons for Elementor. It received a CVSS score of 9.8 (Critical). The vulnerability stems from improperly configured functionality in the 'theplusajaxlogin' and 'theplusgoogleajax_register' AJAX actions, which were accessible to unauthenticated users. These actions allowed attackers to bypass authentication by simply providing a username, even when registration was disabled and the Login widget was inactive (Threatpost, WPScan).

Impact

The vulnerability allowed unauthenticated users to log in as any user, including administrators, by only providing the related username. Additionally, attackers could create new accounts with arbitrary roles, such as administrator privileges. The impact was particularly severe as the vulnerability could be exploited even if registration was disabled and the Login widget was not active. Notably, the free version of the plugin on the WordPress repository was not affected by this issue (WPScan).

Mitigation and workarounds

The vulnerability was patched in version 4.1.7 of The Plus Addons for Elementor. Site administrators were advised to immediately upgrade to this version. For those unable to update immediately, the recommended workaround was to completely deactivate and remove the plugin. Users were also advised to switch to the free version (The Plus Addons for Elementor Lite) which was not affected by the vulnerability. Additionally, administrators were recommended to check for any unexpected administrative users or unauthorized plugins (Threatpost).

Additional resources

Source: This report was generated using AI

Related WordPress vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-14030	MEDIUM	6.4	WordPress	ai-feeds	No	Yes	Dec 12, 2025
CVE-2025-12965	MEDIUM	6.4	WordPress	magical-posts-display	No	Yes	Dec 12, 2025
CVE-2025-14442	MEDIUM	5.3	WordPress	secure-copy-content-protection	No	Yes	Dec 12, 2025
CVE-2025-14065	MEDIUM	5.3	WordPress	simple-bike-rental	No	Yes	Dec 12, 2025
CVE-2025-14159	MEDIUM	4.3	WordPress	secure-copy-content-protection	No	Yes	Dec 12, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-24175: WordPress vulnerability analysis and mitigation