CMS Tree Page View allows any logged in users to move pages, regardless of permissions

Score Vector Complexity Authentication Confidentiality Integrity Availability
4
Medium
Network Low Single None Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

Any logged in user can move pages, regardless of their permission level.

Proof of concept

  1. Create a blank WordPress site, activate CMS Tree Page View plugin, and log in as admin
  2. Publish a new page, to accompany the “Sample page” WordPress creates by default
  3. Note the order of the two pages in the “Pages Tree” panel on the admin dashboard, and their corresponding IDs. In our example, page with ID 4 is at the top of the tree, followed by page with ID 2.
  4. Log out, and log back in as a subscriber, with standard subscriber permissions (i.e. no edit capabilities)
  5. Visit /wp-admin/
  6. In the console, run:
    jQuery.post(ajaxurl, {
      action: "cms_tpv_move_page",
      "node_id": 4,
      "ref_node_id": 2,
      "type": ‘after’,
        "icl_post_language": 'en'
      }, function(data, textStatus) {
    });
  7. Log out, and log back in as admin. The “Pages Tree” panel should now show page with ID 2 at the top, with page ID 4 second (i.e. the reverse of before).

Mitigation/further actions

Upgrade to version 1.4.