Post Title on background showing wordpress post editor

Nested Pages Patches Post Deletion Vulnerability

On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering.

These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability.

The plugin author responded to our disclosure immediately and released a patched version of the plugin, version 3.1.16, a few hours later.

Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions that they are allowed to perform, it is not possible to provide protection for these vulnerabilities without blocking legitimate requests. As such, it is strongly recommended to update to the latest patched version of Nested Pages to ensure your site is protected against exploits targeting these vulnerabilities.

Description: Cross-Site Request Forgery to Arbitrary Post Deletion and Modification
Affected Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Affected Versions: <= 3.1.15
CVE ID: CVE-2021-38342
CVSS Score: 8.1 (High)
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.16

The Nested Pages plugin allows site owners to manage page structure via drag and drop functionality. It also allows owners to perform actions on multiple pages at the same time, including bulk page deletion and modification of page metadata, including page author and publication status.

The plugin accomplished this via a pair of admin_post actions: npBulkActions and npBulkEdit. While most of the plugin’s actions included CSRF protection, these did not. The npBulkActions action could be used to trash or permanently delete any page on the site. While it would merely trash posts provided in the post_ids POST parameter, all of the post IDs passed to it via the redirect_post_ids  POST parameter, intended to delete links, would be fully deleted.

The end result of this was that an attacker could trick an administrator into sending a request that could reassign pages to a different author, publish or unpublish them, or even permanently purge every single post and page from a site at once.

Description: Open Redirect
Affected Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Affected Versions: <= 3.1.15
CVE ID: CVE-2021-38343
CVSS Score: 4.7 (Medium)
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.16

In addition to being usable for modifying pages on a site, the functions called by the npBulkActions and npBulkEdit actions also redirected users to the location provided in the page POST parameter after completing their changes.

In many cases, open redirects can be used to trick visitors into entering credentials on a phishing site by appearing to be a link to a trusted site and then redirecting them to a malicious site under an attacker’s control. In this case, the open redirect could also serve a secondary purpose. With most CSRF attacks, the victim lands on the page used to make the changes they were tricked into making, which could tip them off that something has gone wrong, especially if the changes are visible on the page. The ability to chain an open redirect to the CSRF attack makes it easier for an attacker to exploit the CSRF attack and redirect the victim to another page without immediately raising suspicion.

Additionally, there were 2 other admin_post actions, npListingSort and npCategoryFilter, which provided access to read-only functions and thus would not be likely targets of a CSRF attack, but could be used to perform an open redirect attack.


August 13, 2021 18:27 UTC – Initial outreach to the plugin developer.
August 13, 2021 18:30 UTC – Plugin developer responds.
August 13, 2021 18:46 UTC – Full disclosure sent.
August 13, 2021 20:15 UTC – A patched version of the plugin is released.


In today’s post, we covered two vulnerabilities in Nested Pages, including one that could be used to permanently delete all the pages on a site and another that could facilitate phishing or be used to hide the initial attack.

An administrator would need to be tricked into visiting an attacker-controlled page in order to exploit these vulnerabilities, but they can still be used to cause a large amount of damage, so we strongly recommend updating to the latest version of Nested Pages, version 3.1.16 at the time of writing.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to version 3.1.16 (or newer) of Nested Pages as soon as possible.

Special thanks to the plugin developer, Kyle Phillips, for patching the plugin in record time.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!


No Comments