WordPress Plugin Vulnerabilities

Nested Pages < 3.1.16 - CSRF to Arbitrary Post Deletion and Modification

Description

The plugin was vulnerable to Cross-Site Request Forgery via the npBulkActions and npBulkEdit admin_post actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata.

Affects Plugins

Plugin icon
wp-nested-pages
Fixed in 3.1.16

References

CVE
CVE-2021-38342
URL
https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Ramuel Gall
Submitter
Ramuel Gall
Submitter twitter
ramuelgall
Verified
Yes
WPVDB ID
43265c79-940a-4298-ab0f-71eb367fafd1

Timeline

Publicly Published
2021-08-25 (about 4 years ago)
Added
2021-08-25 (about 4 years ago)
Last Updated
2022-04-10 (about 4 years ago)

Other

Published
Title
Published
2025-09-26
Title
VM Menu Reorder plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update
Published
2024-04-10
Title
Page Builder: Live Composer < 1.5.36 - Cross-Site Request Forgery
Published
2025-02-17
Title
Shopwarden – Automated WooCommerce monitoring & testing < 1.0.12 - Cross-Site Request Forgery to Arbitrary Options Update
Published
2024-04-05
Title
Multiple Page Generator Plugin – MPG < 3.4.1 - Cross-Site Request Forgery
Published
2024-12-11
Title
HQ Rental Software <= 1.5.29 - Cross-Site Request Forgery to Arbitrary Options Update