WordPress Plugin Vulnerabilities

Coditor <= 1.1 - Arbitrary File Edition, Deletion and Internal Directory Listing in wp-content

Description

The coditor_process_ajax() AJAX call is missing any CSRF and authorisation checks, allowing low privilege users (subscriber+) to read and edit any files in the wp-content folder, as well as list its content.

Proof of Concept

Affects Plugins

Plugin icon
coditor
No known fix

References

URL
https://wpdeeply.com/ninja-forms-before-3-4-27-1-simple-csrf-to-rce/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Slavco Mihajloski
Verified
Yes
WPVDB ID
5bd5aa09-f554-4536-b28f-ea540e0cd763

Timeline

Publicly Published
2020-09-22 (about 5 years ago)
Added
2020-10-08 (about 5 years ago)
Last Updated
2020-10-09 (about 5 years ago)

Other

Published
Title
Published
2021-07-05
Title
Filter Gallery < 0.0.7 - Unauthorised AJAX Calls
Published
2021-11-15
Title
Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access
Published
2021-10-20
Title
Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 - Subscriber+ Arbitrary Post Access
Published
2024-11-04
Title
Zotpress < 7.3.13 - Missing Authorization
Published
2020-08-21
Title
Contact Form - Form builder by Kali Forms < 2.1.2 - Authenticated Plugin's Settings Change