Description
The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2021/08/nested-pages-pat%E2%80%A6on-vulnerability/
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/
Scores
CVSS v3
8.1
EPSS
0.0049
EPSS Percentile
38.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
kylephillips/nested_pages
< 3.1.15
Published
Aug 30, 2021
Tracked Since
Feb 18, 2026