Introduction
Attackers can gain full administrative control of a WordPress site running CE21 Suite simply by sending a crafted request to a public AJAX endpoint. This flaw enables remote, unauthenticated users to update plugin settings and create admin accounts on any affected installation.
CE21 Suite is a WordPress plugin developed by ce21com, designed to provide single sign-on capabilities for WordPress sites. With only 30 active installs and 1,597 downloads, it is not widely used but poses a significant risk to any site running vulnerable versions.
Technical Information
The vulnerability resides in the CE21 Suite plugin's handling of the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action. In WordPress, AJAX actions prefixed with wp_ajax_nopriv_ are accessible to unauthenticated users. The plugin registers this action but fails to implement any capability or nonce checks within the handler function.
When a POST request is sent to wp-admin/admin-ajax.php with the parameter action=ce21_single_sign_on_save_api_settings, the plugin processes the request and updates its API settings, including sensitive fields such as the secret key used for authentication. The absence of a current_user_can() check or similar authorization logic means that any remote user, regardless of authentication state, can modify these settings.
This design flaw is categorized as CWE-306 (Missing Authentication for Critical Function). The attack flow is straightforward:
- Attacker identifies a WordPress site running a vulnerable version of CE21 Suite.
- Attacker sends a POST request to
/wp-admin/admin-ajax.phpwithaction=ce21_single_sign_on_save_api_settingsand new API settings (including a new secret key). - The plugin updates its configuration with the attacker-supplied values.
- Attacker leverages the new secret key or modified settings to create new administrator accounts or escalate privileges.
No code snippets are available in public sources, but the vulnerability is confirmed by multiple advisories and threat intelligence feeds.
Affected Systems and Versions
- Product: CE21 Suite WordPress plugin
- Affected versions: 2.2.1 to 2.3.1
- Vulnerable configuration: Any WordPress site with CE21 Suite versions 2.2.1, 2.2.2, 2.3.0, or 2.3.1 installed and active
Vendor Security History
CE21 Suite has a history of critical security issues:
- CVE-2024-10284: Authentication bypass due to hardcoded encryption key
- CVE-2024-10285: JWT token disclosure
- CVE-2024-10294: Missing authorization to unauthenticated plugin settings change
The plugin has been removed from the WordPress repository, and the vendor's response to previous vulnerabilities has been reactive. There is no evidence of a proactive security process or rapid patch turnaround.
