Post Type Switcher WordPress Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Post Type Switcher plugin for WordPress, affecting versions through 4.0.0. The vulnerability arises from inadequate validation of a user-controlled key, enabling authenticated attackers with Author-level access or higher to alter the post type of any posts or pages they do not own. This includes posts created by administrators, potentially causing disruption to the site, damaging navigation, and harming SEO.

Impact

Exploitation of this vulnerability allows for unauthorized modification of post types, which can disrupt site functionality, create navigation issues, and negatively impact search engine optimization.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access can send a request to the WordPress site using the 'admin-ajax.php' file. The request must include the 'pts_post_type' parameter, specifying the new post type, and the 'post_id' parameter, indicating the ID of the post or page to be modified. The 'pts-nonce-select' parameter must also be included to validate the request. Once the request is processed, the post type of the specified post or page will be changed to the one indicated, regardless of the user's ownership of the content.

Remediation

Users are advised to update the Post Type Switcher plugin to version 4.0.1 or later.