Kirby CMS Page Creation API Bypasses Change Status Permission Check

A vulnerability in Kirby CMS allows authenticated users with the permission to create pages to bypass the normal editorial workflow. Prior to Kirby versions 4.9.0 and 5.4.0, the CMS did not properly enforce the 'changeStatus' permission during page creation via the REST API. This oversight enabled users to immediately publish new pages, instead of following the standard process of first creating a draft and then changing its status. The issue has been addressed in Kirby 4.9.0 and 5.4.0 by ensuring that users without the 'pages.changeStatus' permission can only create draft pages.

Impact

Exploitation of this vulnerability allows for unauthorized publication of pages, bypassing the intended workflow and potentially leading to unauthorized changes in the site's content management.

Remediation

Users are advised to update to Kirby version 4.9.0 or 5.4.0. Instructions for updating to these versions are available on the Kirby GitHub releases page.