Vulnerability Details CVE-2021-25116
The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.9%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
Products affected by CVE-2021-25116
-
cpe:2.3:a:enqueue_anything_project:enqueue_anything:-
-
cpe:2.3:a:enqueue_anything_project:enqueue_anything:1.0.1