CVE-2021-24193: 
WordPress vulnerability analysis and mitigation

The Visitor Traffic Real Time Statistics WordPress plugin version 2.11 and earlier contained a missing authorization vulnerability (CVE-2021-24193). Low privileged users could exploit the AJAX action 'cppluginsdobuttonjoblatercallback' to install arbitrary plugins from the WordPress repository, which could potentially lead to more critical vulnerabilities like Remote Code Execution (RCE) (WPScan).

The vulnerability existed in the 'cppluginsdobuttonjoblatercallback' method within the settings-start-index.php file. The AJAX action could be exploited by sending a POST request to /wp-admin/admin-ajax.php with specific parameters to install or activate plugins. The vulnerability was assigned a CVSS score of 9.9 (Critical) and was classified under CWE-284 (Improper Access Control) (WPScan).

The vulnerability allowed low privileged users to install any plugin, including specific versions, from the WordPress repository. This capability could be leveraged to install vulnerable plugins, potentially leading to more severe security issues such as Remote Code Execution. Additionally, the same AJAX action could be used to activate already installed plugins on the blog (WPScan).

The vulnerability was fixed in version 2.12 of the Visitor Traffic Real Time Statistics plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).