WP Blockade Missing Authorization Vulnerability Allows Arbitrary Shortcode Execution
Vulnerability
A vulnerability exists in the WP Blockade plugin for WordPress, affecting all versions up to and including 0.9.14. The issue stems from a missing authorization check in the 'wp-blockade-shortcode-render' admin_post action. The associated 'render_shortcode_preview()' function does not verify user capabilities or nonce values, enabling any authenticated user with Subscriber-level access or higher to execute arbitrary WordPress shortcodes. This is achieved by sending a user-defined 'shortcode' parameter via $_GET, which is processed and executed through 'do_shortcode()'. The vulnerability could lead to information disclosure, privilege escalation, or other impacts, depending on the executed shortcodes.
Impact
Exploitation of this vulnerability could result in unauthorized execution of shortcodes, potentially leading to information disclosure, privilege escalation, or other impacts based on the executed shortcodes' functionality.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wp-blockade-shortcode-render' admin_post action. The request must include a 'shortcode' parameter, which can be any WordPress shortcode. Once the request is processed, the specified shortcode will be executed on the site.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.