CVE-2021-24752

Public Exploit
Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change

Description

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations.

Categories

5.7
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.10%
Third-Party Advisory wpscan.com
Affected: CatchThemes Essential Widgets
Affected: CatchThemes To Top
Affected: CatchThemes Header Enhancement
Affected: CatchThemes Generate Child Theme
Affected: CatchThemes Essential Content Types
Affected: CatchThemes Catch Web Tools
Affected: CatchThemes Catch Under Construction
Affected: CatchThemes Catch Themes Demo Import
Affected: CatchThemes Catch Sticky Menu
Affected: CatchThemes Catch Scroll Progress Bar
Affected: CatchThemes Social Gallery and Widget
Affected: CatchThemes Catch Infinite Scroll
Affected: CatchThemes Catch Import Export
Affected: CatchThemes Catch Gallery
Affected: CatchThemes Catch Duplicate Switcher
Affected: CatchThemes Catch Breadcrumb
Affected: CatchThemes Catch IDs
Published at:
Updated at:

References

Link Tags
https://wpscan.com/vulnerability/181a729e-fffe-457c-9e8d-a4343fd2e630 third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-24752?
CVE-2021-24752 has been scored as a medium severity vulnerability.
How to fix CVE-2021-24752?
To fix CVE-2021-24752, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-24752 being actively exploited in the wild?
It is possible that CVE-2021-24752 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-24752?
CVE-2021-24752 affects CatchThemes Essential Widgets, CatchThemes To Top, CatchThemes Header Enhancement, CatchThemes Generate Child Theme, CatchThemes Essential Content Types, CatchThemes Catch Web Tools, CatchThemes Catch Under Construction, CatchThemes Catch Themes Demo Import, CatchThemes Catch Sticky Menu, CatchThemes Catch Scroll Progress Bar, CatchThemes Social Gallery and Widget, CatchThemes Catch Infinite Scroll, CatchThemes Catch Import Export, CatchThemes Catch Gallery, CatchThemes Catch Duplicate Switcher, CatchThemes Catch Breadcrumb, CatchThemes Catch IDs.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.