IMPress for IDX Broker < 2.6.2 - Authenticated Post Creation, Modification, and Deletion



Description
This plugin registers 2 AJAX actions intended to create and delete “dynamic pages,” intended to ensure that any IDX pages match the site’s style and branding. Neither of the functions called by these AJAX actions used capability checks or nonce checks. As such it was possible for an authenticated attacker with minimal, subscriber-level, permissions to send a request to wp-admin/admin-ajax.php with the action parameter set to create_dynamic_page and the post_title parameter set to any arbitrary value. In return, a new dynamic page with that title would be created.

If a wrapper_page_id parameter was included and set to the ID of an existing post or page, that post or page would be replaced with a blank wrapper page. Alternatively, if the attacker set the action parameter to delete_dynamic_page and sent a wrapper_page_id parameter with the ID of an existing post or page, then that post or page would be permanently deleted.

Affects Plugin

fixed in version 2.6.2

References

CVE 2020-9514
URL https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-for-idx-broker/

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher Ramuel Gall(Wordfence)
Submitter Ramuel Gall
Views 894
Verified No
WPVDB ID 10153

Timeline

Publicly Published 2020-03-26 (2 months ago)
Added 2020-03-26 (about 2 months ago)
Last Updated 2020-03-27 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin