6Storage Rentals WordPress Plugin Authorization Bypass Vulnerability Allowing Unauthenticated User Data Modification

A vulnerability exists in the 6Storage Rentals plugin for WordPress, affecting all versions up to and including 2.22.0. The issue arises from an authorization bypass that allows unauthenticated users to manipulate tenant information. This is achieved through the 'userId' parameter in the 'six_storage_get_user_info' and 'six_storage_update_profile' AJAX actions. The vulnerability stems from a lack of proper ownership verification, session binding, and nonce validation, enabling attackers to access and modify sensitive data such as names, email addresses, phone numbers, physical addresses, and Social Security numbers by sending crafted requests with specific 'userId' values.

Impact

Exploitation of this vulnerability allows for unauthorized access to and modification of user profile data, including sensitive information such as Social Security numbers.

Reproduction

To reproduce this vulnerability, send a request to the 'six_storage_get_user_info' or 'six_storage_update_profile' AJAX actions with an enumerated 'userId' value. The absence of ownership verification and nonce validation will permit the modification or retrieval of arbitrary tenants' profile data.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.