cbcvebase.
CVE-2021-25013
published 2022-01-24

CVE-2021-25013: The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the…

PriorityP432medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.43%
34.3th percentile
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts

Affected

3 ranges
VendorProductVersion rangeFixed in
gnuglibc>= 0 < 2.27-3ubuntu1.52.27-3ubuntu1.5
gnuglibc>= 0 < 2.31-0ubuntu9.72.31-0ubuntu9.7
themeumqubely< 1.7.81.7.8

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.