Vulnerabilities > CVE-2021-25116 - Missing Authorization vulnerability in Enqueue Anything Project Enqueue Anything 1.0.1

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

enqueue-anything-project

CWE-862

NVD

Published: 2022-06-13

Updated: 2023-11-07

Summary

The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.

Vulnerable Configurations

Part	Description	Count
Application	Enqueue_Anything_Project Enqueue Anything Project Enqueue Anything - Enqueue Anything Project Enqueue Anything 1.0.1	2

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://wpscan.com/vulnerability/140a15b6-12c8-4f03-a877-3876db866852