WP VR < 8.3.15 – Unauthenticated Plugin Downgrade leading to XSS | CVE 2023-6529

Description

The plugin does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.

v3.8.15 partially fixed the issue as the wrong capability check was used

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?wpvr_version=8.2.8&action=rest_nonce

Affects Plugins

wpvr

Fixed in 8.3.15

References

CVE

CVE-2023-6529

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

cert_polska_en

Verified

Yes

WPVDB ID

c36314c1-a2c0-4816-93c9-e61f9cf7f27a

Timeline

Publicly Published

2023-12-14 (about 5 months ago)

Added

2023-12-14 (about 5 months ago)

Last Updated

2023-12-14 (about 5 months ago)

Other

Published

Title

Published

2024-02-27

Title

WordPress Access Control <= 4.0.13 - Improper Access Control to Sensitive Information Exposure via REST API

Published

2021-05-26

Title

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Export

Published

2021-12-06

Title

Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls

Published

2021-11-15

Title

Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access

Published

2019-07-10

Title

WP-GraphQL < 0.3.5 - Improper Access Control