The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files).
The WP Blockade WordPress plugin versions up to 0.9.14 contain a missing authorization vulnerability in the wp-blockade-shortcode-render action hook. Authenticated users with Subscriber-level access can execute arbitrary shortcodes without proper capability checks or nonce verification, potentially leading to information disclosure or privilege escalation.
يحتوي مكون WP Blockade للإصدارات حتى 0.9.14 على ثغرة تفويض مفقودة في خطاف الإجراء wp-blockade-shortcode-render. يمكن للمستخدمين المصرح لهم على مستوى المشترك تنفيذ اختصارات WordPress عشوائية دون فحوصات قدرات مناسبة أو التحقق من nonce.
The WP Blockade WordPress plugin versions up to 0.9.14 contain a missing authorization vulnerability in the wp-blockade-shortcode-render action hook. Authenticated users with Subscriber-level access can execute arbitrary shortcodes without proper capability checks or nonce verification, potentially leading to information disclosure or privilege escalation.
1. Update WP Blockade plugin to version 0.9.15 or later immediately. 2. Add capability checks using current_user_can() to verify user permissions before executing shortcodes. 3. Implement nonce verification for the wp-blockade-shortcode-render action. 4. Sanitize and validate the 'shortcode' parameter from $_GET input. 5. Restrict the action hook to administrator-level users only. 6. Audit WordPress user roles and remove unnecessary Subscriber accounts with plugin access.
1. قم بتحديث مكون WP Blockade إلى الإصدار 0.9.15 أو أحدث فوراً. 2. أضف فحوصات القدرات باستخدام current_user_can() للتحقق من صلاحيات المستخدم قبل تنفيذ الاختصارات. 3. طبق التحقق من nonce لإجراء wp-blockade-shortcode-render. 4. قم بتنظيف والتحقق من صحة معامل 'shortcode' من مدخلات $_GET. 5. قصر الإجراء على مستخدمي مستوى المسؤول فقط. 6. قم بمراجعة أدوار مستخدمي WordPress وأزل حسابات المشترك غير الضرورية التي لها إمكانية الوصول إلى المكون.