Beaver Builder Plugin [Authenticated Post Content Copy]

Description

Plugin doesn’t implement security controls when performing specific AJAX actions. Those actions include:

• fl_builder_export_templates_data
• fl_builder_disable
• fl_builder_duplicate_wpml_layout

This could allow an authenticated user to exploit these hooks in order to perform actions that he may not have the right to do so.

Anti-CSRF (nonces) are also missing in callback functions, making those actions prone to CSRF attacks.

From the specified set of actions, maybe the most destructive one is the fl_builder_duplicate_wpml_layout which allows a user to duplicate the contents of a post, if plugin frontend editor is available for this post. This can be used as a leverage from an attacker to totally nuke a website by duplicating post contents. It also can be used as a leverage from a user without publish_posts to publish specific content by copying to already published posts.

PoC

1. Create a post using plugin editor (needs edit_posts capability)
2. Perform a request to copy contents from this post (original_post_id) to another already published post (post_id), like ``` POST /wp-admin/admin-ajax.php?action=fl_builder_duplicate_wpml_layout HTTP/1.1 Host: [host] Cookie: [cookies]

original_post_id=2&post_id=1 ```

---

WordPress Plugins Authenticated Post Content Copy

---

INFO

• 21 October 2016
• Pan Vag
• www.wpbeaverbuilder.com
• Beaver Builder Plugin
• 1.8.7.1
• WordPress 4.6.1
• DWF-2016-87149