WordPress Plugin Vulnerabilities

Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Options Reset

Description

The plugin has two AJAX actions, mep_wl_ajax_license_activate and mep_wl_ajax_license_deactivate, which are available to both unauthenticated and authenticated users, and are lacking any authorisation, CSRF as well as checks to ensure that the options to be updated belong to the plugin. As a result, unauthenticated users can reset arbitrary blog options (as they will be set to ''), for example disabling the user registration, or disabling all active plugins.

Proof of Concept

Affects Plugins

Plugin icon
mage-eventpress
Fixed in 3.5.3

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
8.2 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
75212a4d-02e6-4164-8337-74219b2607b7

Timeline

Publicly Published
2021-11-03 (about 4 years ago)
Added
2021-11-03 (about 4 years ago)
Last Updated
2021-11-03 (about 4 years ago)

Other

Published
Title
Published
2021-08-25
Title
Advanced Custom Fields < 5.11 - Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move
Published
2021-08-23
Title
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update
Published
2021-08-17
Title
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Missing Access Controls
Published
2021-04-17
Title
WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication
Published
2021-08-26
Title
Woffice < 4.0.2 - Unauthenticated Disclosure of Notification Titles