CVE-2021-24968

CVE-2021-24968: Ultimate FAQ < 2.1.2 - Subscriber+ Arbitrary FAQ Creation

Vendor Unknown
Product Ultimate FAQ – WordPress FAQ and Accordion Plugin
Weakness CWE-862 · Missing authorization
Published January 24, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions

Key dates

02Disclosure timeline

January 24, 2022 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE