Beaver Builder Plugin [Authenticated Post Content Copy]
Plugin doesn’t implement security controls when performing specific AJAX actions. Those actions include:
This could allow an authenticated user to exploit these hooks in order to perform actions that he may not have the right to do so.
Anti-CSRF (nonces) are also missing in callback functions, making those actions prone to CSRF attacks.
From the specified set of actions, maybe the most destructive one is the
fl_builder_duplicate_wpml_layout which allows a user to duplicate the
contents of a post, if plugin frontend editor is available for this post.
This can be used as a leverage from an attacker to totally nuke a website
by duplicating post contents. It also can be used as a leverage from a
publish_posts to publish specific content by copying to
already published posts.
- Create a post using plugin editor (needs edit_posts capability)
- Perform a request to copy contents from this post (
original_post_id) to another already published post (
post_id), like ``` POST /wp-admin/admin-ajax.php?action=fl_builder_duplicate_wpml_layout HTTP/1.1 Host: [host] Cookie: [cookies]