Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion
CVE-2021-24688

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Orange Form
Vendor: CVE Published:; 28 February 2022

Summary

The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)

Affected Version(s)

Orange Form 1.0.1

References

https://wpscan.com/vulnerability/78bc7cf1-7563-4ada-aec9-...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Francesco Carlucci