cve/2024/CVE-2024-1170.md

### [CVE-2024-1170](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1170)
![](https://img.shields.io/static/v1?label=Product&message=Post%20Form%20%E2%80%93%20Registration%20Form%20%E2%80%93%20Profile%20Form%20for%20User%20Profiles%20%E2%80%93%20Frontend%20Content%20Forms%20for%20User%20Submissions%20(UGC)&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=*%3C%3D%202.8.7%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-862%20Missing%20Authorization&color=brighgreen)

### Description

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to delete arbitrary media files.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds