VYPR
← All advisories
Unrated severityNVD Advisory· Published May 14, 2021· Updated Aug 3, 2024

Tree Sitemap < 2.9 - Arbitrary Plugin Installation/Activation via Low Privilege User

CVE-2021-24192

Description

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • WordPress/Tree Sitemapllm-create
    Range: <2.9
  • wp-buy/Tree Sitemap (Pages, Posts & Categories list)v5
    Range: 2.9

Patches

Vulnerability mechanics

Root cause

"Missing capability checks on the AJAX action `cp_plugins_do_button_job_later_callback` allow low-privileged users to install and activate arbitrary plugins."

Attack vector

A low-privileged user (e.g., a subscriber or contributor) sends a crafted AJAX request to the `cp_plugins_do_button_job_later_callback` action. The request can specify any plugin slug (and optionally a version) from the WordPress.org repository, causing the plugin to be installed. The same action can also be used to activate any already-installed plugin on the blog [ref_id=1]. This allows an attacker to install a known-vulnerable plugin and then activate it, potentially leading to remote code execution [ref_id=1].

Affected code

The vulnerable AJAX action is `cp_plugins_do_button_job_later_callback` in the Tree Sitemap plugin (versions before 2.9). The advisory does not specify the exact file or function name containing this callback [ref_id=1].

What the fix does

The advisory states the vulnerability is fixed in Tree Sitemap version 2.9 [ref_id=1]. No patch diff is provided, but the fix likely adds proper capability checks (e.g., `install_plugins` and `activate_plugins` capabilities) to the AJAX callback, preventing low-privileged users from installing or activating arbitrary plugins.

Preconditions

  • authAttacker must have a low-privileged account (e.g., subscriber) on the WordPress site
  • configThe Tree Sitemap plugin (version < 2.9) must be installed and active
  • inputWordPress must allow AJAX requests from the attacker's user role

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.