CVE-2021-24688

🗓️ 28 Feb 2022 09:06:02Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 88 Views🌐 WEB

Orange Form WordPress plugin 1.0.1 allows unauthenticated users to delete arbitrary posts

Reporter	Title	Published	Views	Family All 10
CNNVD	Wordpress Plugin Orange Form 跨站请求伪造漏洞	28 Feb 202200:00	–	cnnvd
CNVD	Wordpress Orange Form Plugin Cross-Site Request Forgery Vulnerability	2 Mar 202200:00	–	cnvd
Cvelist	CVE-2021-24688 Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion	28 Feb 202209:06	–	cvelist
EUVD	EUVD-2021-11600	7 Oct 202500:30	–	euvd
NVD	CVE-2021-24688	28 Feb 202209:15	–	nvd
Patchstack	WordPress Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion	29 Dec 202100:00	–	patchstack
Prion	Cross site request forgery (csrf)	28 Feb 202209:15	–	prion
RedhatCVE	CVE-2021-24688	22 May 202521:04	–	redhatcve
wpexploit	Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion	29 Dec 202100:00	–	wpexploit
WPVulnDB	Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion	29 Dec 202100:00	–	wpvulndb

NVD

Vulners

Node

orange-form_project orange-formRange≤1.0.1wordpress

[
  {
    "product": "Orange Form",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "1.0.1",
        "status": "affected",
        "version": "1.0.1",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/78bc7cf1-7563-4ada-aec9-af4c943e3e2c

Parameter	Position	Path	Description	CWE
action	request body	wp-admin/admin-ajax.php	AJAX endpoint lacking authorization/CSRF protections allowing actions like deleting posts via or_delete_filed	CWE-284, CWE-352
or_pf_id	request body	wp-admin/admin-ajax.php	AJAX endpoint lacking authorization/CSRF protections allowing actions like deleting posts via or_delete_filed	CWE-284, CWE-352

21 Nov 2024 05:53Current

4.6Medium risk

Vulners AI Score4.6

CVSS 3.14.3

CVSS 24.3

EPSS0.00112