Kodeo Admin UI full privilege escalation
Kodeo Admin UI prior to version 1.1.9.2 is vulnerable to
In classes/class-admin-ui.php on line 511 the public function kaui_notice_dismissed gives a potential attacker full control by modifying cookie values (either his own or get an admin to login).
public function kaui_notice_dismissed() {
if( !empty( $_POST['id'] ) ) {
$notice_id = $_POST['id'];
if( !empty( $_COOKIE['kaui_dismissed_notices'] ) ) {
$dismissed_notices_cookie = json_decode( stripslashes( $_COOKIE['kaui_dismissed_notices'] ), true );
} else {
$dismissed_notices_cookie = array();
}
$dismissed_notices_cookie[] = $notice_id;
$dismissed_notices_cookie = json_encode( $dismissed_notices_cookie );
setcookie( 'kaui_dismissed_notices', $dismissed_notices_cookie );
wp_send_json_success();
}
wp_send_json_error();
}
One potential exploit in this WordPress plugin is that the $_COOKIE[‚kaui_dismissed_notices‘] variable is not being properly sanitized or validated before it is used.
This could allow an attacker to submit arbitrary input through the kaui_dismissed_notices cookie, which could potentially be used to perform an SQL injection, remote code execution or other types of malicious activity.
To exploit this vulnerability, an attacker could submit any code to get executed serverside or on client side.
This could result in data loss or other forms of damage.
To mitigate this issue, the code should validate and sanitize the kaui_dismissed_notices input before using it.
Can be done using the wp_kses() function to strip out any potentially dangerous HTML or script tags, or by using a whitelist of allowed values for the kaui_dismissed_notices parameter.
Additionally, the code should check the value of $_COOKIE[‚kaui_dismissed_notices‘] to ensure that it is not empty or null before using it.
