IMPress for IDX Broker < 2.6.2 - Authenticated Post Creation, Modification, and Deletion

This plugin registers 2 AJAX actions intended to create and delete “dynamic pages,” intended to ensure that any IDX pages match the site’s style and branding. Neither of the functions called by these AJAX actions used capability checks or nonce checks. As such it was possible for an authenticated attacker with minimal, subscriber-level, permissions to send a request to wp-admin/admin-ajax.php with the action parameter set to create_dynamic_page and the post_title parameter set to any arbitrary value. In return, a new dynamic page with that title would be created.

If a wrapper_page_id parameter was included and set to the ID of an existing post or page, that post or page would be replaced with a blank wrapper page. Alternatively, if the attacker set the action parameter to delete_dynamic_page and sent a wrapper_page_id parameter with the ID of an existing post or page, then that post or page would be permanently deleted.

Affects Plugin

fixed in version 2.6.2


CVE 2020-9514


OWASP Top 10 A2: Broken Authentication and Session Management


Original Researcher Ramuel Gall(Wordfence)
Submitter Ramuel Gall
Views 894
Verified No
WPVDB ID 10153


Publicly Published 2020-03-26 (2 months ago)
Added 2020-03-26 (about 2 months ago)
Last Updated 2020-03-27 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin