CVE-2021-24639

CVE-2021-24639: OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion

Vendor Unknown

Product OMGF | Host Google Fonts Locally

Weakness CWE-862 · Missing authorization

Published September 20, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.

Key dates

02Disclosure timeline

September 20, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24639 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-27906 Apache Airflow: Dag Code and Import Error Permissions Ignored CVE-2026-47120 Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) CVE-2026-35175 Ajenti has an authorization bypass during custom package installation CVE-2024-31244 WordPress Bricksforge plugin <= 2.0.17 - Unauthenticated Arbitrary WordPress Settings Change vulnerability CVE-2025-69349 WordPress RSS Feed Widget plugin <= 3.0.2 - Broken Access Control vulnerability