On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering.
These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability.
The plugin author responded to our disclosure immediately and released a patched version of the plugin, version 3.1.16, a few hours later.
Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions that they are allowed to perform, it is not possible to provide protection for these vulnerabilities without blocking legitimate requests. As such, it is strongly recommended to update to the latest patched version of Nested Pages to ensure your site is protected against exploits targeting these vulnerabilities.
Description: Cross-Site Request Forgery to Arbitrary Post Deletion and Modification
Affected Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Affected Versions: <= 3.1.15
CVE ID: CVE-2021-38342
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.16
The Nested Pages plugin allows