Meta Box < 5.9.4 – Contributor+ Arbitrary Posts' Custom Field Disclosure | CVE 2024-1204 | Plugin Vulnerabilities

Description

The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts.

Proof of Concept

1. ADMIN: Install Meta Box
2. ADMIN: Add Meta Box fields through code or the premium add-on (https://gist.github.com/sc0ttkclark/f4f1b94d3a8bc7f00614acf5d80dbd2e)
3. CONTRIBUTOR: Add shortcode to any post and specify/guess any post ID + field key and save
4. CONTRIBUTOR: Preview the post and see that custom field is output without any further checks for access

Example shortcode: `[rwmb_meta object_id="ANY_POST_ID" id="ANY_META_BOX_FIELD_KEY"]`

Example shortcode for my Gist: `[rwmb_meta object_id="1234" id="test_field"]`

Affects Plugins

Fixed in 5.9.4

References

CVE

URL

https://gist.github.com/sc0ttkclark/f4f1b94d3a8bc7f00614acf5d80dbd2e

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Scott Kingsley Clark

Submitter

Scott Kingsley Clark

Submitter website

https://skc.dev

Submitter twitter

Verified

Yes

WPVDB ID

03191b00-0b05-42db-9ce2-fc525981b6c9

Timeline

Publicly Published

2024-03-25 (about 1 year ago)

Added

2024-03-25 (about 1 year ago)

Last Updated

2024-03-25 (about 1 year ago)

Other

Published

Title

Published

2024-09-25

Title

Jupiter X Core < 4.7.8 - Limited Unauthenticated Authentication Bypass to Account Takeover

Published

2024-03-04

Title

Schema Pro < 2.7.16 - Contributor+ Custom Field Access

Published

2021-07-12

Title

Frontend File Manager < 18.3 - Unauthenticated Arbitrary Post Deletion

Published

2021-12-23

Title

Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation

Published

2021-11-15

Title

Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access