lesterchan / wp-sweep

WP-Sweep allows you to clean up unused, orphaned and duplicated data in your WordPress. It also optimizes your database tables.
https://wordpress.org/plugins/wp-sweep/
153 stars 22 forks source link

Missing Security Check for AJAX Accessible Functions #70

Closed PluginVulnerabilities closed 1 year ago

PluginVulnerabilities commented 1 year ago

While reviewing the changes made in a recent version of the plugin because it was flagged by one of our security monitoring systems, we ran across a minor security issue in the plugin. The AJAX accessible functions ajax_sweep_details() and ajax_sweep() now in the file /inc/class-wpsweep.php are lacking a capabilities check to make sure only the intended users have access to them. You do have a nonce check in those functions. While a nonce check would normally do the equivalent of a capabilities check, the documentation for that states it shouldn't be relied on for that:

Nonces should never be relied on for authentication, authorization, or access control.

lesterchan commented 1 year ago

Thanks for the report! I have fixed it. I think this issue has always been there. Can see the fix at https://github.com/lesterchan/wp-sweep/commit/2e2e4b7608637a33a1e5207e7cbcd2762b1546dc, can you verify it before I release it?

lesterchan commented 1 year ago

cc @szepeviktor ^

PluginVulnerabilities commented 1 year ago

Both that fix and the subsequent changes take care of this. Thank you for the quick response.

The issue was there before. We only ran across it now because one of our customers is currently using the plugin and the commit with the code being moved to an new file got flagged by one of our systems.

lesterchan commented 1 year ago

Thanks! I have released 1.1.8 to fix this =)