Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints



Description
"These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions (23) that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions."
Proof of Concept
All of the vulnerable actions could be called with a simple request to /wp-admin/admin-ajax.php?action=[Vulnerable-Action] along with the appropriate parameters set, by any authenticated user, including users with minimal subscriber-level permissions.

Here is one example for importing XML: 
URL/wp-admin/admin-ajax.php?action=responsive-ready-sites-import-xml&xml_path=https%3A%2F%2Fexample.com%2Fwp-content%2Fuploads%2Fsites%2F54%2Fwxr.xml

Affects Plugin

References

URL https://www.wordfence.com/blog/2020/03/severe-flaws-patched-in-responsive-ready-sites-importer-plugin/

Classification

Type BYPASS

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe
Submitter Website https://wordfence.com
Submitter Twitter infosecchloe
Views 1126
Verified No
WPVDB ID 10137

Timeline

Publicly Published 2020-03-18 (16 days ago)
Added 2020-03-18 (15 days ago)
Last Updated 2020-03-19 (15 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin