CVE-2021-24823: 
WordPress vulnerability analysis and mitigation

The Support Board WordPress plugin before version 3.3.6 contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2021-24823. The vulnerability was discovered by Brandon Roldan and publicly disclosed on October 18, 2021. The issue affects the plugin's include/ajax.php file, which lacks CSRF protection checks, potentially allowing attackers to manipulate actions performed by authenticated users (WPScan).

The vulnerability stems from the absence of CSRF protection in the include/ajax.php file's actions. The delete-file function accepts a 'path' parameter as an argument without proper validation. If the path parameter doesn't contain 'http', it directly uses the input in the unlink function, allowing deletion of arbitrary files outside the intended uploads directory. The vulnerability has been assigned a CVSS score of 8.1 (High) and is classified under CWE-352 (WPScan, Security Blog).

The vulnerability can be exploited to delete arbitrary files on the affected system, including critical WordPress configuration files such as wp-config.php. This could lead to the ability to reinstall WordPress and potentially achieve remote code execution on the target system (Security Blog).

The vulnerability has been fixed in Support Board version 3.3.6. Users are strongly advised to update to this version or later to protect against potential attacks (WPScan).