CVE-2021-24704

Summary

In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example

Affected Software

VendorProductVersion RangeStatus
UnknownOrange Form1.0 <= 1.0affected

Weaknesses

  • CWE-89: CWE-89 SQL Injection
  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References