A critical vulnerability has been identified in the CE21 Suite plugin for WordPress, a component of "The Multiple Products" suite. This flaw allows an unauthenticated attacker to remotely change the plugin's settings without any authorization. Successful exploitation could lead to a complete compromise of the affected website, enabling attackers to steal data, impersonate users, or take full administrative control.

The vulnerability exists within the CE21 Suite plugin for WordPress due to a missing capability check on a specific AJAX function. The wp_ajax_nopriv_ce21_single_sign_on_save_api_settings action is accessible to unauthenticated users (as indicated by the _nopriv hook). An attacker can send a crafted HTTP request to the WordPress AJAX endpoint, targeting this action to modify the plugin's Single Sign-On (SSO) API settings. This allows an unauthenticated remote attacker to alter critical configurations, potentially redirecting authentication flows to a malicious server or disabling security features.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the business. Exploitation could lead to a full site takeover, allowing an attacker to gain administrative privileges. Potential consequences include theft of sensitive customer or corporate data, financial fraud, reputational damage, and the use of the compromised website to distribute malware or launch further attacks. The ability for an unauthenticated attacker to execute this attack with low complexity makes the risk particularly high.

Immediate Action: Immediately update The Multiple Products (specifically the CE21 Suite plugin for WordPress) to the latest version provided by the vendor to patch the vulnerability. After patching, review the plugin's settings to ensure no unauthorized changes have been made.

Proactive Monitoring: Security teams should actively monitor for exploitation attempts. Review web server and WAF access logs for suspicious POST requests to /wp-admin/admin-ajax.php containing the parameter action=ce21_single_sign_on_save_api_settings. Monitor for any unexpected or unauthorized changes to plugin configurations or user accounts.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Use a Web Application Firewall (WAF) to create a rule that blocks all requests to the vulnerable AJAX action (ce21_single_sign_on_save_api_settings).
• Temporarily disable the CE21 Suite plugin until it can be safely updated.
• Restrict access to the admin-ajax.php file to only trusted IP addresses, if business operations permit.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete site compromise by an unauthenticated attacker, this vulnerability requires immediate attention. Although it is not currently listed in the CISA KEV catalog, its severity warrants treating it as an emergency. We strongly recommend that all instances of the CE21 Suite plugin for WordPress be identified and patched to the latest version without delay to prevent potential exploitation.