Dhabaleshwar Das discovered and reported this Broken Access Control vulnerability in WordPress Arconix Shortcodes Plugin to Patchstack.
Steps to reproduce
The plugin lacks proper nonce implementation for an action, exposing users to Cross-Site Request Forgery (CSRF) attack. This vulnerability could allow an attacker to perform malicious actions on behalf of the authenticated user without their consent.
1- First install and configure the plugin.
2- After activation, on the left side in "Plugins" tab, now on top of page allow arconix shortcodes to collect data. After that you'll see an option under "Arconix Shortcodes", that is "Reset Usage Tracking", click on it and then intercept the request, you'll see that no nonce is implemented for this action.
3- This improper validation of nonce causes CSRF attacks, wherein an attacker can forge a request to perform unauthorized actions on behalf of the user who is currently authenticated.
Dhabaleshwar Das discovered and reported this Broken Access Control vulnerability in WordPress Arconix Shortcodes Plugin to Patchstack.
Steps to reproduce
The plugin lacks proper nonce implementation for an action, exposing users to Cross-Site Request Forgery (CSRF) attack. This vulnerability could allow an attacker to perform malicious actions on behalf of the authenticated user without their consent.
1- First install and configure the plugin.
2- After activation, on the left side in "Plugins" tab, now on top of page allow arconix shortcodes to collect data. After that you'll see an option under "Arconix Shortcodes", that is "Reset Usage Tracking", click on it and then intercept the request, you'll see that no nonce is implemented for this action.
3- This improper validation of nonce causes CSRF attacks, wherein an attacker can forge a request to perform unauthorized actions on behalf of the user who is currently authenticated.
The crafted HTML request can be seen here:
https://patchstack.com/database/report-preview/fac03b5b-0005-477c-bfd1-05d587fea0b4 PIN code to access the report information is here: j82t1X4RjLLjanyB
Expected behavior
Additional comment by Patchstack
Unauth BAC on ts_reset_tracking_setting function. Apply proper permission and nonce check
Additional field
Ticket: https://support.tychesoftwares.com/conversation/2678?folder_id=13