GD Press Tools [Missing Function Level Access Control]

GD Press Tools plugin for WordPress suffers from a Missing Function Level Access Control vulnerability

Description

GD Press Tools plugin for WordPress suffers from a Missing Function Level Access Control vulnerability.

Method GDPressTools::saveedit_post() doesn’t properly check user permissions and trusts user input as of post id. This can allow a user to edit information on other users posts.

In many other cases we found similar issues but they are not reported here as they lead to more serious vulnerabilities.

PoC

Follows the vulnerable code:

// ...
if (is_admin()) {
    if ($this->get('integrate_postedit_widget') == 1) {
        add_action('save_post', array(&$this, 'saveedit_post'));
    }
} else {
// ...
// ...
function saveedit_post($post_id) {
    if (isset($_POST['post_ID']) && $_POST['post_ID'] > 0) {
        $post_id = $_POST['post_ID'];
    }

    if (isset($_POST['gdpt_post_edit']) && $_POST['gdpt_post_edit'] == 'edit') {
        if (isset($_POST['gdpt_meta_robots'])) {
            delete_post_meta($post_id, '_gdpt_meta_robots');
        } else {
            $robots = array();
            $raw = $_POST['gdpt_meta_robots_extra'];

            if ($_POST['gdpt_meta_robots_standard'] != '') {
                $robots = explode(',', $_POST['gdpt_meta_robots_standard']);
            }

            if (is_array($raw)) {
                foreach ($raw as $value => $status) {
                    $robots[] = $value;
                }
            }

            update_post_meta($post_id, '_gdpt_meta_robots', join(',', $robots));
        }
    }
}
// ...

Solution

As of 2016-02-18 vendor stated that this plugin is discontinued and won’t resolve this issue. The only available solution is to remove this plugin.


WordPress Plugins Missing Function Level Access Control
INFO
TIMELINE
  • 2016-02-17:
    Vendor notified through contact form in his website
  • 2016-02-17:
    Vendor notified through wordpress.org support forums
  • 2016-02-18:
    Author responded won't fix
  • 2016-02-18:
    Notified security at wordpress.org and plugins at wordpress.org
  • 2016-02-23:
    Plugin was taken down by wordpress.org plugins team