CVE-2021-38342 HIGH

CVE-2021-38342: Nested Pages <= 3.1.15 Cross-Site Request Forgery to Arbitrary Post Deletion and Modification

Vendor Kyle Phillips
Product Nested Pages
Weakness CWE-352 · CSRF
Published August 30, 2021
Last update September 17, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata.

Key dates

02Disclosure timeline

August 30, 2021 CVE published
September 17, 2024 Record updated