Blocked for WP GDPR Compliance <= 1.4.2 - Update Any Option / Call Any Action in POST body: action=wpgdprc_process_action - Githubissues

FGF-College-Work / Forum

:beer: Espaço dedicado a discussões e tira dúvida sobre disciplinas e conteúdo tecnológico.

MIT License

13 stars 4 forks source link

Blocked for WP GDPR Compliance <= 1.4.2 - Update Any Option / Call Any Action in POST body: action=wpgdprc_process_action #164

Open marcialwushu opened 5 years ago

marcialwushu commented 5 years ago

Blocked for WP GDPR Compliance <= 1.4.2 - Update Any Option / Call Any Action in POST body: action=wpgdprc_process_action

Description	The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the file Includes/Ajax.php which doesn't do any checking of the given values.
Proof of Concept

1. Install WordPress.
1. Install the plugin.
1. Enable the request form and publish the page.

Update an option:

1. Go to the page with request form
1. Check the pages source for "ajaxSecurity" and copy the value
1. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body: action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={ "type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"} After that check your wp_options table for the new value.

Affects Plugin

wp-gdpr-compliance fixed in version 1.4.3

References

CVE	2018-19207
URL	https://wordpress.org/support/topic/plugin-installed-itself-and-activated-itself-on-my-site
URL	https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance
URL	https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Classification

Type	BYPASS

Miscellaneous

Submitter	Adrian Mörchen
Submitter Website	https://www.moewe.io
Views	13619
Verified	Yes
WPVDB ID	9144

marcialwushu commented 5 years ago

CVE-ID

CVE-2018-19207	Learn more at National Vulnerability Database (NVD)• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.

References

Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.