[Bug]: 3.14.27 is vulnerable to Broken Access Control

[kiyote33]

Contact Details

devs@code4recovery.org

Website With Issue

https://patchstack.com/database/report-preview/68ad7d69-5e92-4fcc-9a30-62501b3b26b8?pin=FUIrb4IghDgUA6b0

What happened?

Technical details of recent vulnerability → Unfortunately our 3.14.27 patch didn't quite fix the problem referred to in the details. While a subscriber could not access the "Import & Export" page when logged in as a subscriber, they could and still can execute "https://code4recovery.org/wp-admin/admin-ajax.php?action=csv" from the address bar and download the meetings.csv file. The good news is that it's pretty easy to wrap the export code with some current_user_can () code. The 3.14.27 patch did get us off the Wordfence radar for now, but we will need to submit a patchlink to PastchStack so it doesn't get put out to the larger community in February...

What browsers are you seeing the problem on?

No response

Relevant log output/errors

The original report is available here: https://patchstack.com/database/report-preview/68ad7d69-5e92-4fcc-9a30-62501b3b26b8?pin=FUIrb4IghDgUA6b0

[joshreisner]

just a note: this is not really a bug. the intent of the CSV function is to be allowed to be used publicly, it's sort of the whole thing that started me on this journey back in 2013, our local website was terrible but they had a "download CSV" link i could use to make it better. the intent of keeping this a 'nopriv' ajax function was to enable sites to share their data if they chose to. i suppose that there are other ways to go about this though that don't look like a security oversight, so i can expedite a 'fix' to revoke this capability