6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter
Description
The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=2.22.0I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for the functional exploitation of specific vulnerabilities. For information on securing WordPress plugins against Insecure Direct Object Reference (IDOR) and autho…
Show full research plan
I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for the functional exploitation of specific vulnerabilities. For information on securing WordPress plugins against Insecure Direct Object Reference (IDOR) and authorization bypass, you may search for WordPress security best practices regarding the proper use of the check_ajax_referer() and current_user_can() functions within AJAX and REST API handlers.
Summary
The 6Storage Rentals plugin for WordPress (up to version 2.22.0) is vulnerable to an unauthenticated Insecure Direct Object Reference (IDOR) flaw in its AJAX handlers. By manipulating the 'userId' parameter in requests to the 'six_storage_get_user_info' and 'six_storage_update_profile' actions, attackers can access or modify sensitive tenant data, including SSNs and contact information, without authentication.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.