RockPress WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Modifications via AJAX

A vulnerability exists in the RockPress plugin for WordPress, affecting all versions up to and including 1.0.17. The issue stems from inadequate authorization checks on several AJAX actions, which, combined with the exposure of a nonce to all authenticated users through an unconditionally loaded admin script, create a security risk. The 'rockpress-admin' script is enqueued on all admin pages without restrictions, allowing any authenticated user, including those with Subscriber-level access, to misuse the nonce for unauthorized actions. This includes triggering resource-intensive import processes, resetting import data, and performing system connection checks that should be limited to administrators.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access to bypass authorization and make arbitrary modifications via AJAX, including triggering heavy import tasks and resetting import-related data.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access can extract the 'rockpress-nonce' from the HTML source of any admin page. This nonce can then be used to call the vulnerable AJAX actions, such as 'rockpress_import', 'rockpress_reset_import', or 'rockpress_check_services', thereby exploiting the missing authorization.

Remediation

Users are advised to update the RockPress WordPress plugin to version 1.0.18 or later, where this vulnerability has been patched.