Advisory:

CMS Tree Page View allows any logged in users to move pages, regardless of permissions

Vulnerability

Last revised:

Any logged in user can move pages, regardless of their permission level.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Create a blank WordPress site, activate CMS Tree Page View plugin, and log in as admin
  2. Publish a new page, to accompany the “Sample page” WordPress creates by default
  3. Note the order of the two pages in the “Pages Tree” panel on the admin dashboard, and their corresponding IDs. In our example, page with ID 4 is at the top of the tree, followed by page with ID 2.
  4. Log out, and log back in as a subscriber, with standard subscriber permissions (i.e. no edit capabilities)
  5. Visit /wp-admin/
  6. In the console, run: 
    jQuery.post(ajaxurl, {
  action: "cms_tpv_move_page",
  "node_id": 4,
  "ref_node_id": 2,
  "type": ‘after’,
    "icl_post_language": 'en'
  }, function(data, textStatus) {
});
  7. Log out, and log back in as admin. The “Pages Tree” panel should now show page with ID 2 at the top, with page ID 4 second (i.e. the reverse of before).

Advisory timeline

  • 2017-10-02: Discovered
  • 2017-10-03: Reported to author via email
  • 2017-10-13: Response received
  • 2017-10-15: Author reported issue fixed in 1.4
  • 2017-10-20: Advisory published

Mitigation/further actions

Upgrade to version 1.4.