The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the refresh_logs_async functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber privileges or above, to view logs.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Wp_remote_users_sync | Froger | * | 1.2.12 (excluding) |
References
- https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/class-wprus-logger.php#L117
- https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file130
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb?source=cve
- https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/class-wprus-logger.php#L117
- https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file130
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb?source=cve