Volerion logoVolerion
Volerion logoVolerion

Ultimate WordPress Auction Plugin Missing Authorization Vulnerability Allowing Arbitrary Post Deletion

Vulnerability

A vulnerability exists in the Ultimate WordPress Auction Plugin for WordPress, in all versions through 4.2.9. The issue allows authenticated attackers with Contributor-level access or higher to delete arbitrary auctions, posts, and pages. Additionally, it enables the execution of other auction-related actions. This vulnerability arises from improper input validation and a lack of necessary authorization checks before performing deletion actions.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of auctions and associated content, such as posts and pages. It also allows for the removal of auction-related data, potentially disrupting ongoing auction processes or causing loss of important information.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the WordPress site that includes the ID of the auction or post to be deleted. The request must bypass the nonce verification and authorization checks that are typically in place to prevent such actions.

Remediation

Users are advised to update the Ultimate WordPress Auction Plugin to version 4.3.0 or later, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
0.0
exploitability
6.4
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.