CVE-2021-24978

CVE-2021-24978: OSMapper <= 2.1.5 - Unauthenticated Arbitrary Post Deletion

Vendor Unknown
Product OSMapper
Weakness CWE-862 · Missing authorization
Published March 28, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog

Key dates

02Disclosure timeline

March 28, 2022 CVE published
August 3, 2024 Record updated