CVE-2021-24749 — Cross-Site Request Forgery in URL Shortify

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 71.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kaizencoders URL Shortify

Timeline

PublishedNov 29

Latest updateNov 30

Description

The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDkaizencoders/url_shortify< 1.5.1

🔴Vulnerability Details

GHSA

GHSA-cqc3-xrjw-8pwv: The URL Shortify WordPress plugin before 1↗2021-11-30

▶

CVEList

URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF↗2021-11-29

▶