CVE-2021-24704

In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example
References
Configurations

Configuration 1

cpe:2.3:a:orange-form_project:orange-form:*:*:*:*:*:wordpress:*:*

Information

Published : 2022-02-28 09:15

Updated : 2022-03-07 06:28


NVD link : CVE-2021-24704

Mitre link : CVE-2021-24704

Products Affected
No products.