Vulnerabilities > CVE-2021-24704 - Unspecified vulnerability in Orange-Form Project Orange-Form

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

orange-form-project

NVD

Published: 2022-02-28

Updated: 2024-11-21

Summary

In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example

Vulnerable Configurations

Part	Description	Count
Application	Orange-Form_Project Orange Form Project Orange Form *	1

References

https://wpscan.com/vulnerability/60843022-fe43-4608-8859-9c9109b35b42
https://wpscan.com/vulnerability/60843022-fe43-4608-8859-9c9109b35b42