Two vulnerabilities were identified in late August in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering.
These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability.
The plugin author released a patched version of the plugin, version 3.1.16, a few hours later.
Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions that they are allowed to perform, it is not possible to provide protection for these vulnerabilities without blocking legitimate requests. As such, it is strongly recommended to update to the latest patched version of Nested Pages to ensure your site is protected against exploits targeting these vulnerabilities.
Full article and analysis: https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability