WordPress Plugin Vulnerabilities

EazyDocs < 2.4.0 - Subscriber+ Arbitrary Posts Deletion and Document Management

Description

The plugin re-introduced CVE-2023-6029 (https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/) in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9.

Proof of Concept

v 2.3.8, same PoC than https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/ 

v 2.3.9 (can only delete arbitrary documents from the plugin)
1 - Login as a subscriber and view the source of the backend page.
2 - Search for `eazydocs_local_object` variable.
3 - Inside the variable, you will find the option tag containing the _wpnonce and the post id.
4 - Change the value of the following URL with the data from step 3:

https://example.com/wp-admin/admin-post.php?Doc_Delete=yes&_wpnonce=<_wpnonce>&DeleteID=<post_id>

Affects Plugins

Plugin icon
eazydocs
Fixed in 2.4.0

References

CVE
CVE-2024-0248

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher
Majed Refaea
Submitter
Majed Refaea
Verified
Yes
WPVDB ID
faf50bc0-64c5-4ccc-a8ac-e73ed44a74df

Timeline

Publicly Published
2024-01-16 (about 3 months ago)
Added
2024-01-16 (about 3 months ago)
Last Updated
2024-01-16 (about 3 months ago)

Other

Published
Title
Published
2024-01-25
Title
10Web AI Assistant – AI content writing assistant < 1.0.19 - Missing Authorization to Arbitrary Plugin Installation
Published
2023-11-19
Title
Customer Reviews for WooCommerce < 5.38.2 - Missing Authorization via manual review reminders
Published
2023-10-20
Title
wpDiscuz < 7.6.11 - Insufficient Authorization to Comment Submission on Deleted Posts
Published
2022-01-17
Title
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS
Published
2023-06-03
Title
B2BKing < 4.6.20 - Subscriber+ Arbitrary Products Price Update