Headline
CVE-2023-0402: Changeset 2844092 for social-warfare – WordPress Plugin Repository
The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete post meta information and reset network access tokens.
Timestamp:
01/05/2023 01:44:34 PM (2 weeks ago)
WarfarePlugins
Message:
Added user role checks for admin ajax calls. Removed PHP short tags. Sanitized inputs.
Location:
social-warfare
Files:
- tags/4.3.0/lib/options/SWP_Options_Page.php (1 diff)
- tags/4.3.0/lib/utilities/SWP_Utility.php (1 diff)
- trunk/lib/options/SWP_Options_Page.php (1 diff)
- trunk/lib/utilities/SWP_Utility.php (1 diff)
Legend:
Unmodified
Added
Removed
social-warfare/tags/4.3.0/lib/options/SWP_Options_Page.php
r2844082
r2844092
922
922
\*/
923
923
public function delete\_network\_tokens() {
924
$network = $\_POST\['network'\];
924
925
// Bail out if the user is not allowed to manage options.
926
if(false === current\_user\_can('manage\_options') ) {
927
return;
928
}
929
930
$network = sanitize\_text\_field( $\_POST\['network'\] );
925
931
$response = array('ok' => false);
926
932
$response\['ok'\] = SWP\_Credential\_Helper::delete\_token($network);
social-warfare/tags/4.3.0/lib/utilities/SWP_Utility.php
r2844082
r2844092
474
474
\*/
475
475
public static function reset\_post\_meta() {
476
$post\_id = $\_POST\['post\_id'\];
476
477
// Bail out if the user is not allowed to manage options.
478
if(false === current\_user\_can('manage\_options') ) {
479
return;
480
}
481
482
$post\_id = sanitize\_key( $\_POST\['post\_id'\] );
477
483
if ( empty( $post\_id ) ) {
478
484
wp\_die(0);
social-warfare/trunk/lib/options/SWP_Options_Page.php
r2844082
r2844092
922
922
\*/
923
923
public function delete\_network\_tokens() {
924
$network = $\_POST\['network'\];
924
925
// Bail out if the user is not allowed to manage options.
926
if(false === current\_user\_can('manage\_options') ) {
927
return;
928
}
929
930
$network = sanitize\_text\_field( $\_POST\['network'\] );
925
931
$response = array('ok' => false);
926
932
$response\['ok'\] = SWP\_Credential\_Helper::delete\_token($network);
social-warfare/trunk/lib/utilities/SWP_Utility.php
r2844082
r2844092
474
474
\*/
475
475
public static function reset\_post\_meta() {
476
$post\_id = $\_POST\['post\_id'\];
476
477
// Bail out if the user is not allowed to manage options.
478
if(false === current\_user\_can('manage\_options') ) {
479
return;
480
}
481
482
$post\_id = sanitize\_key( $\_POST\['post\_id'\] );
477
483
if ( empty( $post\_id ) ) {
478
484
wp\_die(0);
Note: See TracChangeset for help on using the changeset viewer.