CVE-2021-24189: 
WordPress vulnerability analysis and mitigation

CVE-2021-24189 is a security vulnerability affecting multiple WordPress plugins from the WP-Buy vendor, specifically the Captchinoo plugin. The vulnerability was discovered and publicly disclosed on April 22, 2021, by security researcher Bugbang. The issue affects the AJAX action 'cppluginsdobuttonjoblatercallback' functionality in several WordPress plugins (WPScan).

The vulnerability is classified as a Broken Access Control issue (CWE-284) with a critical CVSS score of 9.9. The security flaw exists in the 'cppluginsdobuttonjoblatercallback' method within the settings-start-index.php file. Low-privileged users can exploit this vulnerability through the WordPress admin AJAX interface to install any plugin from the WordPress repository or activate existing plugins (WPScan).

The vulnerability allows low-privileged users to install any plugin, including specific versions, from the WordPress repository. This capability could be exploited to install vulnerable plugins, potentially leading to more severe security issues such as Remote Code Execution (RCE). Additionally, attackers can activate installed plugins on the blog, further expanding the attack surface (WPScan).

The vulnerability has been fixed in multiple affected plugins with the following versions: Captchinoo-captcha-for-login-form-protection (version 2.4), wp-content-copy-protector (version 3.1.5), conditional-marketing-mailer (version 1.5.2), wp-maintenance-mode-site-under-construction (version 1.8.2), tree-website-map (version 2.9), visitors-traffic-real-time-statistics (version 2.12), wp-limit-failed-login-attempts (version 2.9), and login-as-customer-or-user (version 1.8). Users should update to these fixed versions immediately (WPScan).