CVE-2021-4360: 
WordPress vulnerability analysis and mitigation

The Controlled Admin Access plugin for WordPress contains a Privilege Escalation vulnerability (CVE-2021-4360) affecting versions up to and including 1.5.5. The vulnerability was discovered on March 30, 2021, and was fixed in version 1.5.6. This security issue affects the WordPress plugin's configuration page access control mechanism (WPScan, NVD).

The vulnerability stems from improper access control implementation where the plugin fails to properly restrict access when checking users with limited permissions. This security flaw allows users to query pages they should not have access to, particularly the configuration page. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST and 9.9 (CRITICAL) from Wordfence, indicating its severe nature (NVD).

The vulnerability allows attackers to create a new administrator account with full, unrestricted access to the blog, effectively escalating their privileges from a limited access user to a user with complete administrative control (WPScan).

The vulnerability has been patched in version 1.5.6 of the Controlled Admin Access plugin. Users are strongly advised to update to this version or later to protect against this security issue (WordPress Plugin).