xwp / stream

🗄️ Stream plugin for WordPress

https://wordpress.org/plugins/stream/

GNU General Public License v2.0

405 stars 119 forks source link

Check for caps before loading alert settings #1432

Closed schlessera closed 1 year ago

schlessera commented 1 year ago

This PR includes the following changes:

adds tests to trigger and assert the vulnerability described in CVE-2022-43450, props @Lucisu via Patchstack
fixes CVE-2022-43450 by adding a capability check to the 'wp_ajax_load_alerts_settings ' AJAX action.

Checklist

[x] Project documentation has been updated to reflect the changes in this pull request, if applicable.
[x] I have tested the changes in the local development environment (see contributing.md).
[x] I have added phpunit tests.