WordPress Plugin Vulnerabilities
Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access
Description
The [field] shortcode included with the plugin, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved
Proof of Concept
With the WooCommerce plugin installed, add the following shortcode in a post as a contributor: [field _billing_email id="{order_id}"] This would print out the order billing email, which contributors should have no access to! This is valid for any post where the user is not allowed to access, but can use the shortcode to extrafiltrate any data by key/id.
Affects Plugins
References
CVE
Classification
Type
INCORRECT AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Francesco Carlucci
Submitter
Francesco Carlucci
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-02 (about 2 years ago)
Added
2022-02-02 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)