WordPress Plugin Vulnerabilities

Schema Pro < 2.7.16 - Contributor+ Custom Field Access

Description

The plugin does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode

Proof of Concept

As a contributor, add/edit a post and embed `[aiosrs_pro_custom_field post_id="ANY_POST_ID" field_key="ANY_META_KEY"]` and specify/guess any post ID and meta key you may want to access

Save the post and preview it to disclose the post meta key value

Affects Plugins

Plugin icon
wp-schema-pro
Fixed in 2.7.16

References

CVE
CVE-2024-1564
YouTube Video

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher
Scott Kingsley Clark
Submitter
Scott Kingsley Clark
Submitter website
https://skc.dev
Verified
Yes
WPVDB ID
ecb1e36f-9c6e-4754-8878-03c97194644d

Timeline

Publicly Published
2024-03-04 (about 2 months ago)
Added
2024-03-04 (about 2 months ago)
Last Updated
2024-03-04 (about 2 months ago)

Other

Published
Title
Published
2021-11-01
Title
Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
Published
2020-11-28
Title
BuddyPress < 6.4.0 - Lack of Capability Check on Profile Page
Published
2021-11-03
Title
Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Elementor Template Import
Published
2024-04-17
Title
Backup Migration < 1.4.4 - Information Exposure via Log Files