WP VR < 8.3.15 – Unauthenticated Plugin Downgrade leading to XSS | CVE 2023-6529

Description

The plugin does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.

v3.8.15 partially fixed the issue as the wrong capability check was used

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?wpvr_version=8.2.8&action=rest_nonce

Affects Plugins

wpvr

Fixed in 8.3.15

References

CVE

CVE-2023-6529

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

cert_polska_en

Verified

Yes

WPVDB ID

c36314c1-a2c0-4816-93c9-e61f9cf7f27a

Timeline

Publicly Published

2023-12-14 (about 5 months ago)

Added

2023-12-14 (about 5 months ago)

Last Updated

2023-12-14 (about 5 months ago)

Other

Published

Title

Published

2022-02-22

Title

Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

Published

2021-07-07

Title

WP Upload Restriction < 2.2.5 - Missing Access Control in getSelectedMimeTypesByRole

Published

2021-04-20

Title

Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation

Published

2024-02-16

Title

My Private Site < 3.1.0 - Improper Access Control to Sensitive Information Exposure via REST API

Published

2021-05-07

Title

Leads-5050 Visitor Insights < 1.0.4 - Unauthenticated License Change