AJAX functions accessible to those not logged in

Question

AJAX functions accessible to those not logged in

Closed this issue 5 years ago · 4 comments

PluginVulnerabilities commented 5 years ago

While reviewing the security changes made in the latest version of the plugin we noticed that the AJAX accessible functions are registered to be accessible to those not logged in to WordPress. It looks like those might only be intended to be accessed by those logged in to WordPress, if so, then removing the nopriv registrations would be a good idea.

Answer 1 · 2019-08-26T20:26:07.000Z

Thanks for reviewing the plugin!

You are correct that these actions did require the user to be logged in to do anything so they are not needed with the nopriv flag.

I've gone and removed the nopriv versions.

Answer 2 · 2019-08-26T20:37:00.000Z

@PluginVulnerabilities I see you also posted about this plugin here: https://www.pluginvulnerabilities.com/2019/08/26/vulnerability-details-cross-site-request-forgery-csrf-in-woocommerce-address-book/ but the post is behind a paywall for your subscription.

Would you be able to send the contents of the post to me? matt@hallme.com

Answer 3 · 2019-08-26T20:55:03.000Z

That post just details the security changes made in version 1.6.0, so you should already know the information mentioned there.

Answer 4 · 2019-08-26T20:57:24.000Z

I figured that it what it was about, but was curious to see the points that were written about it.