High severity8.8NVD Advisory· Published Nov 23, 2021· Updated Jun 17, 2026
CVE-2021-24892
CVE-2021-24892
Description
Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <1.6.9
- Range: <1.6.9
- Range: 1.6.9
Patches
Vulnerability mechanics
References
2- github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c562995bc6a994d3a2nvdPatchThird Party Advisory
- wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.