Nested Pages <= 3.1.15 Cross-Site Request Forgery to Arbitrary Post Deletion and Modification
CVE-2021-38342

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Nested Pages
Vendor: CVE Published:; 30 August 2021

Summary

The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the npBulkActions and npBulkEdit admin_post actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata.

Affected Version(s)

Nested Pages 3.1.15

References

https://www.wordfence.com/blog/2021/08/nested-pages-pat%E...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2021
Vulnerability Reserved
Aug 9, 2021

Credit

Ramuel Gall, Wordfence