WordPress Plugin Vulnerabilities

OSMapper <= 2.1.5 - Unauthenticated Arbitrary Post Deletion

Description

The plugin contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog

Proof of Concept

Affects Plugins

Plugin icon
osmapper
No known fix

References

CVE
CVE-2021-24978

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.2 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
f0f2af29-e21e-4d16-9424-1a49bff7fb86

Timeline

Publicly Published
2022-03-01 (about 3 years ago)
Added
2022-03-01 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-08-28
Title
Fota WP < 1.4.2 - Missing Authorization via fotawp_install_and_activate_plugins()
Published
2024-02-26
Title
Download Media <= 1.4.2 - Missing Authorization via generate_link_for_media
Published
2025-11-30
Title
LearnPress < 4.3.0 - Missing Authorization
Published
2025-10-27
Title
Insert PHP Code Snippet < 1.4.4 - Missing Authorization
Published
2025-04-24
Title
Smart Hashtags [#hashtagger] <= 7.2.3 - Missing Authorization