CVE-2021-24978

The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog
Configurations

Configuration 1 (hide)

cpe:2.3:a:b4after:osmapper:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 05:54

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/f0f2af29-e21e-4d16-9424-1a49bff7fb86 - Exploit, Third Party Advisory () https://wpscan.com/vulnerability/f0f2af29-e21e-4d16-9424-1a49bff7fb86 - Exploit, Third Party Advisory

25 Oct 2022, 16:42

Type Values Removed Values Added
CWE CWE-352

04 Apr 2022, 16:16

Type Values Removed Values Added
References (MISC) https://wpscan.com/vulnerability/f0f2af29-e21e-4d16-9424-1a49bff7fb86 - (MISC) https://wpscan.com/vulnerability/f0f2af29-e21e-4d16-9424-1a49bff7fb86 - Exploit, Third Party Advisory
CPE cpe:2.3:a:b4after:osmapper:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 5.3

28 Mar 2022, 18:45

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-28 18:15

Updated : 2024-11-21 05:54


NVD link : CVE-2021-24978

Mitre link : CVE-2021-24978

CVE.ORG link : CVE-2021-24978


JSON object : View

Products Affected

b4after

  • osmapper
CWE
CWE-862

Missing Authorization

CWE-352

Cross-Site Request Forgery (CSRF)