WP Mail Logging < 1.10.0 – Outdated Redux Framework | CVE 2021-38314

Description

The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues (CVE-2021-38312 and CVE-2021-38314), and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314

Proof of Concept

The first endpoint we can identify is gathered from the website's URL (e.g., https://www.wordpress.com/) md5 hashed with the "-redux" suffix.

For example, for the above URL, the first endpoint will be: https://www.wordpress.com/wp-admin/admin-ajax.php?action=16a8ca2d7a9690742c2048ec7b7f0f56

Once you make a simple HTTP GET request to the first action, it will return the first part of the 2nd hash that we need for triggering the "support_args" method.

Take the hash returned from the first endpoint and md5 hash it with the "-support" suffix. This md5 hash endpoint can now be used to modify some of the plugin's settings (enable/disable logging).

For example: POST /wp-admin/admin-ajax.php?action=30cf1a163dd8a8787885585aee1e1973&redux_framework_disable_tracking=tru

Note that other parameters that can be passed in the URL are also pre-known to malicious actors, e.g., hash, i, and code.

Impact: An unauthenticated malicious actor can change the plugin's settings and possibly even make it print other sensitive information about the plugin.