CVE-2021-24688
Last modified
CVE-2021-24688 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it). EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Orange-Form Project | Orange-Form | <= 1.0.1 |
References
- https://wpscan.com/vulnerability/78bc7cf1-7563-4ada-aec9-af4c943e3e2cExploit, Third Party Advisory
- https://wpscan.com/vulnerability/78bc7cf1-7563-4ada-aec9-af4c943e3e2cExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24688?
How severe is CVE-2021-24688?
How do I fix CVE-2021-24688?
Are you affected by CVE-2021-24688?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST