Responsive Poll < 1.3.4 - Broken Authentication and Missing Capability Checks on AJAX calls



Description
Edit (WPScanTeam):

In versions < 1.3.3, unauthenticated users can manipulate polls, e.g., delete, clone, or view a hidden poll.
In versions < 1.3.4 any authenticated user can do the same as above

v1.3.4 added capability checks, however the issues are still exploitable via CSRF as there is no nonce checks


Affects Plugin

fixed in version 1.3.4

References

CVE 2020-11673
URL https://gist.github.com/pak0s/05a0e517aeff4b1422d1a93f59718459
URL https://plugins.trac.wordpress.org/changeset/2271601
URL https://plugins.trac.wordpress.org/changeset/2273724

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher pak0s
Views 1789
Verified Yes
WPVDB ID 10178

Timeline

Publicly Published 2020-04-13 (about 1 month ago)
Added 2020-04-13 (about 1 month ago)
Last Updated 2020-04-14 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin