AIKTP WordPress Plugin Missing Authorization Vulnerability in REST API Endpoint

A vulnerability exists in the AIKTP plugin for WordPress, affecting all versions up to and including 5.0.04. The issue arises from inadequate authorization checks on the '/aiktp/getToken' REST API endpoint. This endpoint, intended to generate a token for authenticated users, only verifies if a user is logged in, without confirming whether the user has administrative privileges. As a result, authenticated attackers with Subscriber-level access or higher can access the 'aiktpz_token' of an administrator. This token can be exploited to create posts, upload media files, and access private content on behalf of the administrator.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access to retrieve an administrator's access token, which can then be used to perform various actions as the administrator, including creating posts, uploading media, and accessing private content.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access can send a request to the '/aiktp/getToken' endpoint. The request must include the necessary authentication headers, but it does not need to verify administrative capabilities, allowing the user to obtain the admin token.

Remediation

Users are advised to update the AIKTP WordPress plugin to version 5.0.05 or later, where this vulnerability has been patched.