WordPress Plugin Vulnerabilities

Filter Portfolio Gallery <= 1.5 - Arbitrary Gallery Deletion via CSRF

Description

The plugin is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery.

Proof of Concept

Affects Plugins

Plugin icon
filter-portfolio-gallery
No known fix

References

CVE
CVE-2021-24795

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Vishal Mohan
Submitter
Vishal Mohan
Submitter twitter
Vishal12MI
Verified
Yes
WPVDB ID
ef3c1d4f-53a4-439e-9434-b3b4adb687a4

Timeline

Publicly Published
2021-11-15 (about 4 years ago)
Added
2021-11-15 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2025-06-05
Title
Layouts for Elementor <= 1.11 - Cross-Site Request Forgery
Published
2025-06-05
Title
Booqable Rental <= 2.4.21 - Cross-Site Request Forgery
Published
2021-06-30
Title
Food Store < 1.3.7 - Unauthorised AJAX call via CSRF
Published
2025-03-28
Title
NertWorks All in One Social Share Tools <= 1.26 - Cross-Site Request Forgery
Published
2024-10-09
Title
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) < 3.1.88 - Cross-Site Request Forgery