CVE-2021-25116

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Enqueue Anything WordPress plugin versions 1.0.0 through 1.0.1

Description The issue is related to the lack of authorization and CSRF checks in the remove asset AJAX action. This allows low-privilege users, such as subscribers, to delete arbitrary assets and put arbitrary posts in the trash. The problem also stems from the failure to verify that the item to be deleted is actually an asset.

Recommendations For Enqueue Anything WordPress plugin versions 1.0.0 through 1.0.1, consider disabling the remove asset AJAX action until a patch is available to add proper authorization and CSRF checks. Restrict access to the remove asset function to prevent low-privilege users from exploiting this issue.

Exploit

Fix

Missing Authorization

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-352

Related Identifiers

CVE-2021-25116

Affected Products

Enqueue Anything

CVE-2021-25116

Weakness Enumeration

Related Identifiers

Affected Products

References · 4