Описание
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
Ссылки
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.7.8 (исключая)
cpe:2.3:a:themeum:qubely:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 31%
0.00118
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862
CWE-352
Связанные уязвимости
CVSS3: 6.5
github
около 4 лет назад
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
EPSS
Процентиль: 31%
0.00118
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862
CWE-352