ONLYOFFICE Docs WordPress Plugin Privilege Escalation Vulnerability
Vulnerability
A privilege escalation vulnerability has been identified in the ONLYOFFICE Docs plugin for WordPress, affecting versions 1.1.0 through 2.2.0. The issue arises from a lack of proper authorization in the 'oo.callback' REST endpoint. While the plugin checks that the provided encrypted attachment ID corresponds to an existing attachment post, it fails to verify the requester's identity or capabilities. This oversight allows unauthenticated attackers to log in as any user.
Impact
Exploitation of this vulnerability allows unauthenticated users to gain unauthorized access to WordPress accounts, potentially with elevated privileges, depending on the user account accessed.
Reproduction
To reproduce this vulnerability, send a request to the 'oo.callback' REST endpoint with an encrypted attachment ID that corresponds to an existing attachment post. The request can be made without authentication, which will trigger the vulnerability by logging in as the user associated with the specified attachment ID.
Remediation
Users can update to ONLYOFFICE Docs version 2.3.0, which improves security for the '/callback' API endpoint.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.