Executive Summary

The 6Storage Rentals plugin for WordPress has a vulnerability called Authorization Bypass Through User-Controlled Key. This affects all versions up to and including 2.22.0. The issue arises because the plugin's AJAX actions `six_storage_get_user_info` and `six_storage_update_profile` accept a `userId` parameter from unauthenticated requests without verifying if the requester actually owns or is authorized to access that user ID.

Specifically, the functions `six_storage_getUserInfo()` and `six_storage_updateProfile()` are registered on `wp_ajax_nopriv_*` hooks, meaning they can be called without authentication. They take the `userId` directly from the POST data without checking ownership, session binding, or nonce validation. This allows attackers to supply arbitrary `userId` values and read or modify other tenants' profile data.

• Attackers can access or change sensitive information such as name, email address, phone number, physical address, and Social Security Number (SSN) of other users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts because it allows unauthenticated attackers to read and modify sensitive personal data of other users without permission.

• Exposure of personally identifiable information (PII) such as names, emails, phone numbers, physical addresses, and SSNs.
• Unauthorized modification of user profiles, potentially leading to identity theft or fraud.
• Loss of user trust and damage to the reputation of the affected website or service.
• Potential legal and financial consequences due to mishandling of sensitive data.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to read and modify arbitrary tenants' profile data, including sensitive personal information such as name, email address, phone number, physical address, and Social Security Number (SSN).

Such unauthorized access and modification of personal and sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal data confidentiality and integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized AJAX requests to the WordPress endpoints handling the six_storage_get_user_info and six_storage_update_profile actions. Specifically, look for HTTP POST requests containing the userId parameter targeting wp-admin/admin-ajax.php with the actions six_storage_get_user_info or six_storage_update_profile.

Commands to detect such activity could include using network traffic inspection tools or web server logs to filter for these requests. For example, using grep on web server logs:

• grep 'admin-ajax.php' /var/log/apache2/access.log | grep -E 'action=six_storage_get_user_info|action=six_storage_update_profile' | grep 'userId='

Alternatively, using a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests containing these parameters could help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the 6Storage Rentals plugin to a version later than 2.22.0 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the vulnerable AJAX endpoints by implementing firewall rules or web application firewall (WAF) rules to block unauthenticated requests to the six_storage_get_user_info and six_storage_update_profile actions.

Additionally, monitor logs for suspicious activity targeting these endpoints and consider temporarily disabling the plugin if the risk is high.

Useful 0 Not Useful 0