CVE-2021-24572

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 71.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Accept Donations With Paypal Wpplugin Accept Donations With Paypal

Timeline

PublishedNov 1

Latest updateMay 24

Description

The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDwpplugin/accept_donations_with_paypal< 1.3.1

▶CVEListV5unknown/accept_donations_with_paypal1.3.1 — 1.3.1

🔴Vulnerability Details

GHSA

GHSA-887j-hc67-xww2: The Accept Donations with PayPal WordPress plugin before 1↗2022-05-24

▶

CVEList

Paypal Donation < 1.3.1 - CSRF to Arbitrary Post Deletion↗2021-11-01

▶