PT-2021-16320 · WordPress · Temporary Login Without Password

·

CVE-2021-24836

·

Published

2021-12-13

·

Updated

2022-08-04

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions: Temporary Login Without Password WordPress plugin versions prior to 1.7.1
Description: The issue concerns a lack of authorization and CSRF checks when updating settings in the Temporary Login Without Password WordPress plugin. This could allow any logged-in users, such as subscribers, to update the settings.
Recommendations: For versions prior to 1.7.1, update to version 1.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings update functionality to minimize the risk of exploitation.

Exploit

Fix

Missing Authorization

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2021-24836

Affected Products

Temporary Login Without Password