SB2020032713 - Multiple vulnerabilities in IMPress for IDX Broker plugin for WordPress

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "idx_update_recaptcha_key" AJAX action. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Improper access control (CVE-ID: CVE-2020-9514)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "idx_ajax_create_dynamic_page" and "idx_ajax_delete_dynamic_page" AJAX actions. A remote authenticated attacker can send a specially crafted request to "wp-admin/admin-ajax.php" with the "action" parameter set to "create_dynamic_page" and the "post_title" parameter set to any arbitrary value, leading to post or page creation, modification and deletion. 

Remediation

Install update from vendor's website.

References

• https://wpvulndb.com/vulnerabilities/10152/
• https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-for-idx-broker/
• https://wpvulndb.com/vulnerabilities/10153/