WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is high.
Disclose
File : /classes/plugin.php
Line 1070 : $files = esc_attr( $_POST['files'] );
Issue : No control of the sent IDs to be sure they are attached media so we can change IDs to select any other (private ?) media.
CSRF #1
File : /classes/plugin.php
Function : create_zip_archive_medias()
Issue : No nonce token control, a simple subscriber can trigger this function.
CSRF #2
File : /classes/plugin.php
Function : delete_zip_archive_medias()
Issue : No nonce token control, a simple subscriber can trigger this function.
CSRF #3
File : /classes/plugin.php
Function : delete_zip_archive_medias()
Issue : Filename is not sanitized.
Demo : A form sent by POST with the following values:
- action=delete_zip_archive_medias
- zip=https://example.com/wp-config.php
This will simply delete this file, there is no file control that it has been created by the plugin.
CSRF #4
File : /classes/plugin.php
Function : create_zip_archive_files()
Issue : No nonce token control, a simple subscriber can trigger this function.
CSRF #5
File : /classes/plugin.php
Function : delete_zip_archive_files()
Issue : Filename is not sanitized.
Demo : A form sent by POST with the following values:
- action=delete_zip_archive_files
- zip=https://example.com/wp-config.php
This will simply delete this file, there is no file control that has been created with the plugin.
CSRF #6
File : /classes/plugin.php
Line : 1223
Issue : Lack of nonce token, we can here give this link to a logged-in administrator or include it in a hidden page:
https://example.com/wp-admin/admin-ajax.php?action=wpscleaner_rated
CSRF #7
File : /classes/plugin.php
Line : 1346
Issue : Lack of nonce token, we can here give this link to a logged-in administrator or include it in a hidden page:
https://example.com/wp-admin/admin-ajax.php?action=delete_alert
These vulnerabilities have been patched in v1.4.5
