WooRockets Nitro <= 1.7.9 – Unauthenticated Arbitrary Plugin Installation

Description

The theme does not have authorisation in some of its AJAX actions, and relied on CSRF checks for it. As one of the action allowed for nonces to be disclosed under a specific circumstance, unauthenticated users could then use them to install and active arbitrary plugins (via a zip file), as well as set the blog as a demo, erasing existing data

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Themes

wr-nitro

No known fix

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Brad Patton

Submitter

Brad Patton

Verified

Yes

WPVDB ID

22071df4-73fc-4074-a395-86f2760d461e

Timeline

Publicly Published

2021-11-03 (about 4 years ago)

Added

2022-01-04 (about 4 years ago)

Last Updated

2022-01-04 (about 4 years ago)

Other

Published

Title

Published

2025-03-31

Title

Auto Post After Image Upload <= 1.6 - Missing Authorization

Published

2025-12-15

Title

Request a Quote < 2.5.4 - Missing Authorization

Published

2023-11-16

Title

wpMandrill <= 1.33 - Missing Authorization via getAjaxStats

Published

2026-01-22

Title

Institutions Directory <= 1.3.4 - Missing Authorization

Published

2026-03-19

Title

RockPress < 1.0.18 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions