WordPress Plugin Vulnerabilities

Custom Searchable Data Entry System <= 1.7.1 - Unauthenticated Data Modification and Deletion

Description

The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database.

Affects Plugins

Plugin icon
custom-searchable-data-entry-system
No known fix

References

CVE
CVE-2020-10817
URL
https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Ram Gall (Wordfence)
Verified
No
WPVDB ID
16419c48-0f10-49ab-afec-ca395f4ce0f3

Timeline

Publicly Published
2020-03-07 (about 6 years ago)
Added
2020-03-07 (about 6 years ago)
Last Updated
2022-01-17 (about 4 years ago)

Other

Published
Title
Published
2025-05-01
Title
MStore API – Create Native Android & iOS Apps On The Cloud < 4.17.5 - Unauthenticated Limited Privilege Escalation
Published
2023-06-19
Title
tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation
Published
2026-02-13
Title
Magic Login Mail or QR Code < 2.06 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage
Published
2023-08-22
Title
Donation Forms by Charitable < 1.7.0.13 - Unauthenticated Privilege Escalation
Published
2023-05-23
Title
ReviewX < 1.6.14 - Subscriber+ Privilege Escalation