GD Press Tools [Missing Function Level Access Control]
GD Press Tools plugin for WordPress suffers from a Missing Function Level Access Control vulnerability
Description
GD Press Tools plugin for WordPress suffers from a Missing Function Level Access Control vulnerability.
Method GDPressTools::saveedit_post() doesn’t properly check user permissions and trusts user input as of post id. This can allow a user to edit information on other users posts.
In many other cases we found similar issues but they are not reported here as they lead to more serious vulnerabilities.
PoC
Follows the vulnerable code:
// ...
if (is_admin()) {
if ($this->get('integrate_postedit_widget') == 1) {
add_action('save_post', array(&$this, 'saveedit_post'));
}
} else {
// ...
// ...
function saveedit_post($post_id) {
if (isset($_POST['post_ID']) && $_POST['post_ID'] > 0) {
$post_id = $_POST['post_ID'];
}
if (isset($_POST['gdpt_post_edit']) && $_POST['gdpt_post_edit'] == 'edit') {
if (isset($_POST['gdpt_meta_robots'])) {
delete_post_meta($post_id, '_gdpt_meta_robots');
} else {
$robots = array();
$raw = $_POST['gdpt_meta_robots_extra'];
if ($_POST['gdpt_meta_robots_standard'] != '') {
$robots = explode(',', $_POST['gdpt_meta_robots_standard']);
}
if (is_array($raw)) {
foreach ($raw as $value => $status) {
$robots[] = $value;
}
}
update_post_meta($post_id, '_gdpt_meta_robots', join(',', $robots));
}
}
}
// ...
Solution
As of 2016-02-18 vendor stated that this plugin is discontinued and won’t resolve this issue. The only available solution is to remove this plugin.
INFO
- 16 February 2016
- Pan Vag
- www.dev4press.com
- wordpress.org
- WordPress 4.4.2
TIMELINE
- 2016-02-17:
Vendor notified through contact form in his website - 2016-02-17:
Vendor notified through wordpress.org support forums - 2016-02-18:
Author responded won't fix - 2016-02-18:
Notified security at wordpress.org and plugins at wordpress.org - 2016-02-23:
Plugin was taken down by wordpress.org plugins team