Skip to content

Custom REST API Endpoint may expose data unprividedged users.

Moderate
peterwilsoncc published GHSA-q43c-v867-4cfp Mar 22, 2023

Package

Distributor

Affected versions

<= 1.9.0

Patched versions

1.9.1

Description

Summary

An incorrect capability check in the distributor/list-pull-content REST API endpoint may expose private data, content.raw, users without the correct permissions.

Details

The custom REST API endpoint uses the check_read_permission() function to determine if a user can read the content. While this function is correct for checking if a user can read content, the result is used to determine if the user can read data that is intended to be private:

distributor/includes/rest-api.php

Lines 466 to 486 in 753c325

if ( ! check_read_permission( $post ) ) {
continue;
}
$formatted_posts[] = array(
'id' => $post->ID,
'title' => array( 'rendered' => $post->post_title ),
'excerpt' => array( 'rendered' => $post->post_excerpt ),
'content' => array( 'raw' => $post->post_content ),
'password' => $post->post_password,
'date' => $post->post_date,
'date_gmt' => $post->post_date_gmt,
'guid' => array( 'rendered' => $post->guid ),
'modified' => $post->post_modified,
'modified_gmt' => $post->post_modified_gmt,
'type' => $post->post_type,
'link' => get_the_permalink( $post ),
'comment_status' => $post->comment_status,
'ping_status' => $post->ping_status,
);
}

The effected data is:

  • $post->post_title (should be obtained via get_the_title())
  • $post->post_excerpt (should be run through the get_the_excerpt filter)
  • $post->post_content (should be run obtained via Utils\get_processed_content())
  • $post->post_password (should not be shared)
  • $post->guid (should be run through the get_the_guid filter)

Users with the edit_post meta capability are permitted to read each of these items in their unmodified (raw) forms.

PoC

Configuration

  1. Set up a Distributor site from scratch (WP + the plugin only)
  2. Add a subscriber user (wpcli command here for ease)
  3. Log in as the subscriber
  4. Create an application password

POC using default "Hello World" Post

  1. Run a curl request in the edit context for the WP Post endpoint curl 'http://subscriber:[email protected]/wp-json/wp/v2/posts/1?context=edit'
  2. Observe result: Sorry, you are not allowed to edit this post.
  3. Run a curl request to the distributor endpoint curl -XPOST 'http://subscriber:[email protected]/wp-json/wp/v2/distributor/list-pull-content'
  4. Observe the result: post contains raw data

Impact

Data exposure

See also

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

No known CVE

Weaknesses

Credits