{"id":"CVE-2021-4420","details":"The Sell Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.5. This is due to missing or incorrect nonce validation on the sell_media_process() function. This makes it possible for unauthenticated attackers to sell media paypal orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","modified":"2026-04-12T03:54:52.388907Z","published":"2023-07-12T07:15:09.747Z","references":[{"type":"ADVISORY","url":"https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"},{"type":"ADVISORY","url":"https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"},{"type":"ADVISORY","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"},{"type":"ADVISORY","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"},{"type":"ADVISORY","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"},{"type":"ADVISORY","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"},{"type":"ADVISORY","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/da4592b6-5e84-4a89-9ade-6cc227740d32?source=cve"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2603629%40sell-media&new=2603629%40sell-media&sfp_email=&sfph_mail="}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graphpaperpress/sell-media","events":[{"introduced":"0"},{"last_affected":"766bcf5f8947f2e45f6908f6c317bbd45d73dc57"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.5.5"}],"cpe":"cpe:2.3:a:graphpaperpress:sell_media:*:*:*:*:*:wordpress:*:*","source":"CPE_FIELD"}}],"versions":["1.0.1","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1","1.2","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.9","1.3","1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.5","1.5.1","1.5.2","1.5.3","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7","1.8.3","1.8.4","1.8.6","1.8.7","1.9","1.9.1","1.9.2","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","2.0","2.0-hotfix","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.2","2.2.1","2.2.10","2.2.11","2.2.12","2.2.3","2.2.4","2.2.6","2.2.7","2.2.8","2.2.9","2.3.1","2.3.2","2.3.5","2.4.2","2.4.3","2.4.4","2.4.5","2.4.6","2.5","2.5.1","2.5.2","2.5.3","2.5.5","settings-class","v2.4.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-4420.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}