CVE-2021-24704

Name of the Vulnerable Software and Affected Versions Orange Form WordPress plugin version 1.0

Description The issue concerns an unprepared SQL query with an unsanitized parameter ($id) in the process bulk action() function, located in the "admin/orange-form-email.php" file. Although only admins can access the page invoking this function, the lack of CSRF protection makes it exploitable. This could allow attackers to make a logged-in admin delete arbitrary posts.

Recommendations For Orange Form WordPress plugin version 1.0, consider disabling the process bulk action() function until a patch is available to prevent exploitation. Restrict access to the "admin/orange-form-email.php" file to minimize the risk of exploitation. Avoid using the parameter ($id) in the affected function until the issue is resolved.