Summary
An incorrect capability check in the distributor/list-pull-content REST API endpoint may expose private data, content.raw, users without the correct permissions.
Details
The custom REST API endpoint uses the check_read_permission() function to determine if a user can read the content. While this function is correct for checking if a user can read content, the result is used to determine if the user can read data that is intended to be private:
|
if ( ! check_read_permission( $post ) ) { |
|
continue; |
|
} |
|
|
|
$formatted_posts[] = array( |
|
'id' => $post->ID, |
|
'title' => array( 'rendered' => $post->post_title ), |
|
'excerpt' => array( 'rendered' => $post->post_excerpt ), |
|
'content' => array( 'raw' => $post->post_content ), |
|
'password' => $post->post_password, |
|
'date' => $post->post_date, |
|
'date_gmt' => $post->post_date_gmt, |
|
'guid' => array( 'rendered' => $post->guid ), |
|
'modified' => $post->post_modified, |
|
'modified_gmt' => $post->post_modified_gmt, |
|
'type' => $post->post_type, |
|
'link' => get_the_permalink( $post ), |
|
'comment_status' => $post->comment_status, |
|
'ping_status' => $post->ping_status, |
|
); |
|
} |
The effected data is:
- $post->post_title (should be obtained via
get_the_title())
- $post->post_excerpt (should be run through the
get_the_excerpt filter)
- $post->post_content (should be run obtained via
Utils\get_processed_content())
- $post->post_password (should not be shared)
- $post->guid (should be run through the
get_the_guid filter)
Users with the edit_post meta capability are permitted to read each of these items in their unmodified (raw) forms.
PoC
Configuration
- Set up a Distributor site from scratch (WP + the plugin only)
- Add a subscriber user (wpcli command here for ease)
- Log in as the subscriber
- Create an application password
POC using default "Hello World" Post
- Run a curl request in the edit context for the WP Post endpoint curl 'http://subscriber:apppassword@example.local/wp-json/wp/v2/posts/1?context=edit'
- Observe result: Sorry, you are not allowed to edit this post.
- Run a curl request to the distributor endpoint curl -XPOST 'http://subscriber:apppassword@example.local/wp-json/wp/v2/distributor/list-pull-content'
- Observe the result: post contains raw data
Impact
Data exposure
See also
peterwilsoncc Reporter
dkotter Remediation reviewer
jeffpaul Remediation reviewer
Summary
An incorrect capability check in the
distributor/list-pull-contentREST API endpoint may expose private data,content.raw, users without the correct permissions.Details
The custom REST API endpoint uses the
check_read_permission()function to determine if a user can read the content. While this function is correct for checking if a user can read content, the result is used to determine if the user can read data that is intended to be private:distributor/includes/rest-api.php
Lines 466 to 486 in 753c325
The effected data is:
get_the_title())get_the_excerptfilter)Utils\get_processed_content())get_the_guidfilter)Users with the
edit_postmeta capability are permitted to read each of these items in their unmodified (raw) forms.PoC
Configuration
POC using default "Hello World" Post
Impact
Data exposure
See also