CVE-2021-24688

Name of the Vulnerable Software and Affected Versions Orange Form WordPress plugin versions prior to 1.0.2

Description The issue concerns a lack of authorization and CSRF checks in AJAX calls within the plugin. Specifically, the or delete filed AJAX call is accessible to both unauthenticated and authenticated users, potentially allowing attackers to delete arbitrary posts. Additionally, the plugin does not verify if a post belongs to the user or if they are authorized to perform actions on it.

Recommendations For Orange Form WordPress plugin versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the or delete filed AJAX call to prevent unauthorized post deletion.