CVSS Score of 10 (low)


Published Jul 1, 2023
Updated: Nov 7, 2023
CWE ID 352


CVE-2021-4405 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the ElasticPress plugin for WordPress versions up to and including 3.5.3. The vulnerability arises from missing or incorrect nonce validation in the epio_send_autosuggest_allowed() function, enabling unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io through a forged request. Exploiting this vulnerability requires tricking a site administrator into performing an action such as clicking on a link. The vulnerability has a base score of 4.3 and is rated as medium severity, with low integrity impact and no confidentiality impact. There have been 97 reported instances of this vulnerability, highlighting its potential danger to affected organizations. Remediation should involve updating the ElasticPress plugin to a version that addresses the CSRF vulnerability.


Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2021-4405 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options