CVE-2021-24688

Published: Feb 28, 2022Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)

Affected (1)

Products: Orange Form Project: Orange Form

Orange Form Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Orange Form Project Orange Form	Up to 1.0.1

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://wpscan.com/vulnerability/78bc7cf1-7563-4ada-aec9-af4c943e3e2c

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/78bc7cf1-7563-4ada-aec9-af4c943e3e2c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.