The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named ‘map’ and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog
[
{
"product": "OSMapper",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "2.1.5",
"status": "affected",
"version": "2.1.5",
"versionType": "custom"
}
]
}
]