CVE-2021-24892

Name of the Vulnerable Software and Affected Versions: Advanced Forms (Free & Pro) versions prior to 1.6.9

Description: The issue allows an authenticated remote attacker to change arbitrary user's email address and request a reset password, potentially leading to the takeover of a WordPress administrator account. To exploit this, an attacker must first register to obtain a valid WordPress user account and then use this account to authenticate with WordPress and exploit the vulnerable edit function.

Recommendations: For versions prior to 1.6.9, update to version 1.6.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the edit function in Advanced Forms until the update can be applied. Additionally, monitor user account activity for suspicious email address changes and password reset requests.