Headline
CVE-2023-0555: ajax-functions.php in quick-restaurant-menu/tags/2.0.2/includes/admin – WordPress Plugin Repository
The Quick Restaurant Menu plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those actions intended for administrator use. Actions include menu item creation, update and deletion and other menu management functions. Since the plugin does not verify that a post ID passed to one of its AJAX actions belongs to a menu item, this can lead to arbitrary post deletion/alteration.
1<?php2/**3 * AJAX Functions4 *5 * Process ajax admin functions.6 *7 * @package ERM8 * @copyright Copyright © 2022, Alejandro Pascual9 * @license http://opensource.org/licenses/gpl-2.0.php GNU Public License10 * @since 1.011 */1213// Exit if accessed directly14if ( ! defined( ‘ABSPATH’ ) ) exit;1516/**17 *18 */19function erm_update_menu_item() {2021 //echo '<pre>’; print_r( $_POST ); echo '</pre>’; exit();2223 if (isset($_POST[‘post_id’])) {2425 $post_id = absint( $_POST[‘post_id’] );26 $title = sanitize_text_field($_POST[‘title’]);27 $visible = sanitize_text_field($_POST[‘visible’]);28 $prices = qrm_sanitize_text_or_array_field($_POST[‘prices’]);2930 wp_update_post(array(31 ‘ID’ => $post_id,32 ‘post_title’ => $title,33 ‘post_name’ => $title,34 ‘post_content’ => wp_kses_post($_POST[‘content’]),35 ));3637 update_post_meta( $post_id, '_erm_visible’, ($visible == ‘true’ || $visible == 1) ? true : false );38 update_post_meta( $post_id, '_erm_prices’, $prices);3940 $image_id = absint( $_POST[‘image_id’] );41 if ( $image_id != 0 ) {42 set_post_thumbnail( $post_id, $image_id );43 } else {44 delete_post_thumbnail( $post_id );45 }4647 wp_send_json_success();48 }49 exit();50}51add_action( 'wp_ajax_erm_update_menu_item’, ‘erm_update_menu_item’ );5253/**54 * Delete menu item55 */56function erm_delete_menu_item() {5758 if (isset($_POST[‘post_id’])) {59 wp_delete_post( absint($_POST[‘post_id’]), true);60 wp_send_json_success();61 }62 exit();63}64add_action( 'wp_ajax_erm_delete_menu_item’, ‘erm_delete_menu_item’ );6566/**67 * Create new menu item68 */69function erm_create_menu_item() {7071 $post_id = wp_insert_post(array(72 ‘post_type’ => 'erm_menu_item’,73 ‘post_content’ => '’,74 ‘post_name’ => 'New’,75 ‘post_title’ => 'New’,76 ‘post_status’ => 'publish’77 ), true );7879 if ( is_wp_error($post_id) ) {80 wp_send_json_error();8182 } else {83 $type = isset($_POST[‘type’]) ? sanitize_text_field($_POST[‘type’]) : 'product’;84 update_post_meta( $post_id, '_erm_visible’, true );85 update_post_meta( $post_id, '_erm_type’, $type );86 wp_send_json_success(array(87 ‘id’ => $post_id,88 ‘type’ => $type,89 ‘title’ => 'New’,90 ‘content’ => '’,91 ‘image_id’ => 0,92 ‘src_thumb’ => '’,93 ‘src_big’ => '’,94 ‘visible’ => 1,95 ‘prices’ => array(),96 ‘link’ => get_edit_post_link( $post_id )97 ));98 }99100 exit();101}102add_action( 'wp_ajax_erm_create_menu_item’, ‘erm_create_menu_item’ );103104/**105 * Update menu item106 *107 * @since 1.0108 */109function erm_update_list_menu_items() {110111 if ( isset($_POST[‘ids’]) ) {112 $post_id = absint( $_POST[‘post_id’] );113 update_post_meta( $post_id, '_erm_menu_items’, sanitize_text_field($_POST[‘ids’]));114 wp_send_json_success();115 }116117 exit();118}119add_action( 'wp_ajax_erm_update_list_menu_items’, ‘erm_update_list_menu_items’ );120121/**122 * Get list of menu items ajax123 *124 * @since 1.0125 */126function erm_list_menu_items() {127128 $posts = get_posts( array(129 ‘post_type’ => 'erm_menu_item’,130 ‘numberposts’ => -1,131 ‘order_by’ => 'post_title’,132 ‘order’ => 'ASC’133 ) );134135 $html = '’;136 $items = array();137 if ($posts) {138 $html .= '<div style="display: inline-block; text-align: left; margin-bottom:20px;">’;139 foreach( $posts as $post ) {140 if ( get_post_meta($post->ID,’_erm_type’,true) == ‘product’){141 $html .= '<label><input data-id="’.$post->ID.’" type="checkbox">’.$post->post_title.’</label><br>’;142 $items[] = erm_get_menu_item_data( $post->ID );143 }144 }145 $html .= '</div><hr>’;146 $html .= '<button id="add-menu-items" class="button button-default">’.__(‘Add Menu Items’,’erm’).’</button>’;147 } else {148 $html .= '<h1>NO MENU ITEMS</h1>’;149 }150 wp_send_json_success( array('html’=>$html, 'items’=>$items) );151 exit();152}153add_action( 'wp_ajax_erm_list_menu_items’, ‘erm_list_menu_items’ );154155156/**157 * Save menu week158 *159 * @since 1.1160 */161function erm_update_menu_week() {162163 $post_id = absint($_POST[‘post_id’]);164 $franjas = qrm_sanitize_text_or_array_field($_POST[‘franjas’]);165 //echo '<pre>’; print_r( $franjas ); echo '</pre>’;166 update_post_meta( $post_id, 'erm_week_rules’, $franjas );167168169 wp_send_json_success();170}171add_action( 'wp_ajax_erm_update_menu_week’, ‘erm_update_menu_week’ );
Related news
On January 16, 2023, the Wordfence Threat Intelligence team responsibly disclosed several vulnerabilities in Quick Restaurant Menu, a WordPress plugin that allows users to set up restaurant menus on their sites. This plugin is vulnerable to missing authorization, insecure direct object reference, cross site request forgery as well as cross site scripting in versions up to, and including, 2.0.2.