CVE-2021-24356: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2021-24356) affects the Simple 301 Redirects by BetterLinks WordPress plugin versions 2.0.0 through 2.0.3. The vulnerability was discovered and disclosed on May 26, 2021, and involves a lack of capability checks and insufficient nonce check on the AJAX action 'simple301redirects/admin/activate_plugin'. This security flaw affects WordPress installations with the vulnerable plugin versions installed (WPScan).

The vulnerability stems from insufficient security controls in the plugin's AJAX functionality. Specifically, the plugin fails to properly implement capability checks and has inadequate nonce verification for the 'simple301redirects/admin/activate_plugin' AJAX action. The vulnerability has been assigned a CVSS v3 base score of 8.8 (High), with attack vector being Network, attack complexity Low, and requiring Low privileges (AttackerKB).

When exploited, this vulnerability allows authenticated users to activate arbitrary plugins that are already installed on the vulnerable WordPress sites. This could lead to elevation of privileges and potential unauthorized access to site functionality, depending on the activated plugins (Wordfence).

The vulnerability has been patched in version 2.0.4 of the Simple 301 Redirects by BetterLinks plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).