### [CVE-2021-24133](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24133)
![](https://img.shields.io/static/v1?label=Product&message=ActiveCampaign&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=8.0.2%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-352%20Cross-Site%20Request%20Forgery%20(CSRF)&color=brightgreen)

### Description

Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.

### POC

#### Reference
- https://wpscan.com/vulnerability/a72a5be4-654b-496f-94cd-3814c0e40120

#### Github
- https://github.com/20142995/nuclei-templates