Headline
CVE-2023-3636: Changeset 2942291 for wedevs-project-manager – WordPress Plugin Repository
The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the ‘save_users_map_name’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘usernames’ parameter.
Legend:
Unmodified
Added
Removed
wedevs-project-manager/trunk/changelog.txt
r2938582
r2942291
1
\= v2.6.5 - Jul 24, 2023 =
2
3
\*\*Fix:\*\* User controllers meta data updating authentication error.
4
1
5
\= v2.6.4 - Jul 14, 2023 =
2
6
wedevs-project-manager/trunk/config/app.php
r2938582
r2942291
4
4
'name' => 'Project Manager',
5
5
'slug' => 'pm',
6
'version' => '2.6.4',
6
'version' => '2.6.5',
7
7
'api' => '2',
8
8
'db\_version' => '2.5',
wedevs-project-manager/trunk/cpm.php
r2938582
r2942291
6
6
\* Author: weDevs
7
7
\* Author URI: https://wedevs.com
8
\* Version: 2.6.4
8
\* Version: 2.6.5
9
9
\* Text Domain: wedevs-project-manager
10
10
\* Domain Path: /languages
wedevs-project-manager/trunk/languages/wedevs-project-manager.pot
r2938582
r2942291
3
3
msgid ""
4
4
msgstr ""
5
"Project-Id-Version: WP Project Manager 2.6.4\\n"
5
"Project-Id-Version: WP Project Manager 2.6.5\\n"
6
6
"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/cpm\\n"
7
"POT-Creation-Date: 2023-07-14 05:33:03+00:00\\n"
7
"POT-Creation-Date: 2023-07-24 04:22:41+00:00\\n"
8
8
"MIME-Version: 1.0\\n"
9
9
"Content-Type: text/plain; charset=utf-8\\n"
…
…
751
751
#: src/Task\_List/Validators/Update\_Task\_List.php:12
752
752
msgid "Task list ID must be greater than zero"
753
msgstr ""
754
755
#: src/User/Controllers/User\_Controller.php:160
756
msgid "You have no permission to create/update user meta."
753
757
msgstr ""
754
758
wedevs-project-manager/trunk/readme.txt
r2938582
r2942291
6
6
Tested up to: 6.0.1
7
7
Requires PHP: 5.6
8
Stable tag: 2.6.4
8
Stable tag: 2.6.5
9
9
License: GPLv2 or later
10
10
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
283
283
284
284
\== Changelog ==
285
286
\= v2.6.5 - Jul 24, 2023 =
287
288
\*\*Fix:\*\* User controllers meta data updating authentication error.
285
289
286
290
\= v2.6.4 - Jul 14, 2023 =
wedevs-project-manager/trunk/src/User/Controllers/User_Controller.php
r2474296
r2942291
156
156
}
157
157
158
public function save\_users\_map\_name(WP\_REST\_Request $request){
158
public function save\_users\_map\_name( WP\_REST\_Request $request ) {
159
if ( ! current\_user\_can( 'manage\_options' ) ) {
160
return new \\WP\_Error( 'usersmap', \_\_( 'You have no permission to create/update user meta.', 'wedevs-project-manager' ) );
161
}
162
159
163
$usernames = $request->get\_params();
160
foreach($usernames\['usernames'\] as $username\_key => $username\_value){
161
$username\_key\_array = explode('\_',$username\_key);
162
if(in\_array('github',$username\_key\_array) || in\_array('bitbucket',$username\_key\_array)){
163
$user\_meta\_key = $username\_key\_array\[0\];
164
$user\_meta\_id = $username\_key\_array\[1\];
165
$user\_meta\_value = !empty($username\_value) ? $username\_value : '' ;
166
update\_user\_meta($user\_meta\_id,$user\_meta\_key,$user\_meta\_value);
164
foreach ( $usernames\['usernames'\] as $username\_key => $username\_value ) {
165
$username\_key\_array = explode( '\_', $username\_key );
166
if ( in\_array( 'github', $username\_key\_array, true ) || in\_array( 'bitbucket', $username\_key\_array, true ) ) {
167
$user\_meta\_id = $username\_key\_array\[1\];
168
$user\_meta\_key = $username\_key\_array\[0\];
169
$user\_meta\_value = ! empty( $username\_value ) ? sanitize\_text\_field( $username\_value ) : '';
170
171
update\_user\_meta( $user\_meta\_id, $user\_meta\_key, $user\_meta\_value );
167
172
}
168
173
}
wedevs-project-manager/trunk/vendor/composer/installed.php
r2938582
r2942291
4
4
'pretty\_version' => 'dev-develop',
5
5
'version' => 'dev-develop',
6
'reference' => '233d84ea368fe61885943cf7d1b32597289e303f',
6
'reference' => '68a0cefdee3e28e23325987be4029a6bda09a72a',
7
7
'type' => 'wordpress-plugin',
8
8
'install\_path' => \_\_DIR\_\_ . '/../../',
…
…
175
175
'pretty\_version' => 'dev-develop',
176
176
'version' => 'dev-develop',
177
'reference' => '233d84ea368fe61885943cf7d1b32597289e303f',
177
'reference' => '68a0cefdee3e28e23325987be4029a6bda09a72a',
178
178
'type' => 'wordpress-plugin',
179
179
'install\_path' => \_\_DIR\_\_ . '/../../',
Note: See TracChangeset for help on using the changeset viewer.
Related news
WordPress WP Project Manager plugin versions 2.6.4 and below suffer from a privilege escalation vulnerability.