CVE-2021-25013

CVE-2021-25013: Qubely < 1.7.8 - Subscriber+ Arbitrary Post Deletion

Vendor Unknown
Product Qubely – Advanced Gutenberg Blocks
Weakness CWE-862 · Missing authorization
Published January 24, 2022
Last update August 3, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts

Key dates

02Disclosure timeline

January 24, 2022 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12822 WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure CVE-2026-45243 Summarize < 0.15.1 Browser Extension Missing Authorization via Content Script CVE-2024-34371 WordPress Login with phone number plugin <= 1.7.18 - Broken Access Control vulnerability CVE-2024-2036 ApplyOnline – Application Form Builder and Manager <= 2.6.2 - Missing Authorization to Sensitive Information Exposure CVE-2026-32546 WordPress Restrict Content plugin <= 3.2.22 - Broken Access Control vulnerability