PT-2022-9652 · WordPress · Labtools
Itsfading
+1
·
Published
2022-02-01
·
Updated
2022-12-09
·
CVE-2021-25097
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
LabTools WordPress plugin versions 1.0 and earlier
Description
The issue concerns a lack of proper authorization and CSRF check when deleting publications. This allows any authenticated users, such as subscribers, to delete arbitrary publications.
Recommendations
For LabTools WordPress plugin versions 1.0 and earlier, update to a version that includes proper authorization and CSRF checks for publication deletion.
As a temporary workaround, consider restricting publication deletion capabilities to only trusted users until a patch is available.
Fix
Incorrect Authorization
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Labtools