Seven disclosures this week, with zero issues unfixed. YAY!
View week’s vulnerable plugin list.
This week, let’s look at the Authenticated, Unauthorized Information Disclosure vulnerability in version 1.1.0 of Advanced Contact Form 7 DB plugin, as you may be asking how there can be a problem if someone is already authenticated. Authentication is the process of verifying a user, typically by the use of credentials (e.g. username and password). This is proving that you are actually you. Authorization, on the other hand, is the process of determining if an authenticated user has the appropriate permissions (access rights) to a resource, process, etc. In the case of this plugin, the plugin checked to make sure a user was authenticated (logged in) but failed to make sure they were authorized to view a contact form submissions. This means that anyone logged in to a site (including those with a role as low as subscriber) would be able to view contact form submissions. Obviously, this is not what the plugin author intended. The fix is easy enough: at the beginning of the process, ensure the user is authorized. Luckily, WordPress makes this easy for us through the function current_user_can() which you can use to check to make sure the user has the needed capabilities (permissions) necessary to perform an action or access a resource.
Like many things in secure coding, the fix isn’t insurmountable, you just have to know what to do and remember to do it!