Relevanssi – Subscriber+ Unauthorised AJAX Calls

Description

The plugins do not have authorisation and CSRF checks in some of their AJAX actions, allowing any authenticated users, such as subscriber, to call them. This could disclose information to subscribers, as well as allow them to truncate the index, which will disable the search

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=relevanssi_truncate_index

Affects Plugins

relevanssi

Fixed in 4.14.6

relevanssi-premium

Fixed in 2.16.5

References

URL

https://plugins.trac.wordpress.org/changeset/2648642

URL

https://plugins.trac.wordpress.org/changeset/2648980

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Jan w Oleju

Submitter

Jan w Oleju

Verified

Yes

WPVDB ID

c0c27674-715e-464d-ab38-0774128e6741

Timeline

Publicly Published

2022-02-15 (about 2 years ago)

Added

2022-02-15 (about 2 years ago)

Last Updated

2022-02-15 (about 2 years ago)

Other

Published

Title

Published

2024-04-25

Title

Smart Forms < 2.6.92 - Missing Authorization to Notice Dismissal

Published

2023-01-19

Title

GPT3 AI Content Writer < 1.4.38 - Subscriber+ Arbitrary Post Content Update

Published

2023-11-07

Title

Visitors Traffic Real Time Statistics < 7.3 - Missing Authorization via multiple AJAX actions

Published

2022-11-09

Title

WPML < 4.5.11 - Subscriber+ Translation Job Status Update

Published

2023-08-16

Title

Comments Like Dislike < 1.2.0 - Subscriber+ Settings Reset