CVE-2021-4362

Name of the Vulnerable Software and Affected Versions Kiwi Social Share plugin for WordPress version 2.1.0

Description The issue is related to an authorization bypass due to a missing capability check on the kiwi social share get option() function, which is called via the "kiwi social share get option" AJAX action. This allows unauthenticated attackers to read and modify arbitrary options, potentially leading to a complete site takeover. The vulnerability was previously fixed but was reintroduced in version 2.1.0.

Recommendations For Kiwi Social Share plugin for WordPress version 2.1.0, consider disabling the kiwi social share get option() function until a patch is available to prevent exploitation. Restrict access to the "kiwi social share get option" AJAX action to minimize the risk of unauthorized option modifications. At the moment, there is no information about a newer version that contains a fix for this vulnerability.