Pinterest Automatic - Authentication Bypass (CVE-2021-4380)

CVE-2021-4380 is a critical authorization bypass vulnerability in the Pinterest Automatic plugin for WordPress, affecting versions up to 1.14.3. This flaw allows unauthenticated attackers to update arbitrary site options, potentially leading to the creation of new administrative accounts or malicious redirection of site visitors. Exploitation of this vulnerability could result in full site compromise and significant security risks for affected WordPress installations.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2021-4380 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2021-4380. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the endpoint /?wp_pinterest_automatic=settings to perform unauthorized POST requests, allowing them to update arbitrary WordPress site options without authentication.