CVE-2021-24688

CVE-2021-24688: Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion

Vendor Unknown

Product Orange Form

Weakness CWE-284

Published February 28, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)

Key dates

02Disclosure timeline

February 28, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24688

Related vulnerabilities

CVE-2021-24688: Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion

01Description

02Disclosure timeline

03References

04Related CVE