Custom Content Shortcode < 4.0.1 – Unauthorised Arbitrary Post Metadata Access | CVE 2021-24824 | Plugin Vulnerabilities

Description

The [field] shortcode included with the plugin, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved

Proof of Concept

With the WooCommerce plugin installed, add the following shortcode in a post as a contributor: [field _billing_email id="{order_id}"]

This would print out the order billing email, which contributors should have no access to!

This is valid for any post where the user is not allowed to access, but can use the shortcode to extrafiltrate any data by key/id.

Affects Plugins

custom-content-shortcode

Fixed in 4.0.1

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

7b4d4675-6089-4435-9b56-31496adc4767

Timeline

Publicly Published

2022-02-02 (about 2 years ago)

Added

2022-02-02 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2022-11-21

Title

StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation

Published

2021-11-09

Title

Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access

Published

2022-02-23

Title

WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion

Published

2021-09-28

Title

AutomatorWP < 1.7.6 - Missing Authorization and Privilege Escalation

Published

2022-02-17

Title

UpdraftPlus Free < 1.22.3 & Premium < 2.22.3 - Subscriber+ Backup Download