Lucene search

WordfenceCVELIST:CVE-2021-4359

HistoryJun 07, 2023 - 1:51 a.m.

CVE-2021-4359

2023-06-0701:51:29

Wordfence

www.cve.org

wordpress

file manager

vulnerability

unauthenticated

post deletion

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

48.5%

JSON

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it possible for unauthenticated attackers to delete any posts and pages on the site.

CNA Affected

[
  {
    "vendor": "nmedia",
    "product": "Frontend File Manager Plugin",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThan": "18.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2554359%40nmedia-user-file-uploader&new=2554359%40nmedia-user-file-uploader&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/84c61d00-20c1-4176-a74d-ea6ff6220f26?source=cve

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

48.5%

JSON

Related for CVELIST:CVE-2021-4359