WordPress Plugin Vulnerabilities

Enqueue Anything <= 1.0.1 - Subscriber+ Arbitrary Asset/Post Deletion

Description

The plugin does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.

v1.0.1 added a check to ensure post to be removed is an asset. However the plugin is still missing capability and CSRF checks

Proof of Concept

Affects Plugins

Plugin icon
enqueue-anything
No known fix

References

CVE
CVE-2021-25116

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
abhishek bhoir
Submitter
abhishek bhoir
Verified
Yes
WPVDB ID
140a15b6-12c8-4f03-a877-3876db866852

Timeline

Publicly Published
2022-05-17 (about 3 years ago)
Added
2022-05-17 (about 3 years ago)
Last Updated
2022-05-18 (about 3 years ago)

Other

Published
Title
Published
2025-12-11
Title
Masker for Elementor <= 1.1.4 - Missing Authorization
Published
2023-11-29
Title
Database for CF7 < 1.2.5 - Subscriber+ CF7 DB Entries Deletion
Published
2025-04-07
Title
Motors – Car Dealership & Classified Listings Plugin < 1.4.65 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Published
2025-10-04
Title
IgnitionDeck <= 2.0.10 - Missing Authorization
Published
2025-01-09
Title
Essential WP Real Estate <= 1.1.3 - Unauthenticated Arbitrary Post/Page Deletion