CVE-2021-24704

Severity CVSS v4.0:
Pending analysis
Type:
CWE-352 Cross-Site Request Forgery (CSRF)
Publication date:
28/02/2022
Last modified:
07/03/2022

Description

In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:orange-form_project:orange-form:*:*:*:*:*:wordpress:*:* 1.0 (including)