[wp-trac] [WordPress Trac] #57437: Insecure Direct Object Reference in "author" parameter while making a page live Leads to Vertical Privilege Escalation on a Different Account

WordPress Trac noreply at wordpress.org
Tue Jan 10 03:59:47 UTC 2023 

#57437: Insecure Direct Object Reference in "author" parameter while making a page
live Leads to Vertical Privilege Escalation on a Different Account
--------------------------+-----------------------------
 Reporter:  f41z4n        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Editor        |    Version:  6.1.1
 Severity:  normal        |   Keywords:  needs-patch
  Focuses:  privacy       |
--------------------------+-----------------------------
 {I've reported it on hackerone, they said its a bug, report it as a bug}

 Description:
 There is an Insecure Direct Object Reference in the author parameter that
 lets a user, set the author id to a different author, which doesnt have
 the rights to edit/publish the page
 Steps To Reproduce:
 Create a Page.
 Click on settings ICON in the page in the editor.
 Note that in the page section you can edit the author of page, with the
 list of available users.
 Choose a legitimate user and intercept the request.
 Now in the request there is an author parameter which has the id of user
 "author":id,. Change this id to a user who doesn't have the right to
 publish or edit the post. 6.By changing the id to a user who has no role
 for the wordpress, you can see that the user is now the author for the
 page. Thanks! Please check attached video POC for more clarity.
 Recommendations
 Make sure to check for what values of author parameter are being parsed by
 the backend and check if the id being passed does have the right to do so.
 Impact
 Privilege Escalation For an Unintended User/Low priv user
 Bypass secure Design and post unwanted content from other's account.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57437>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list