Flo Launch < 2.4.1 – Missing Authentication Allow Full Site Takeover | CVE 2022-0541 | Plugin Vulnerabilities

Description

The plugin injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flo_custom_table_prefix cookie to an arbitrary value.

Proof of Concept

On any website where flo-launch is active create cookie "flo_custom_table_prefix" with any string value to initiate new WordPress instance setup.

Complete setup and login as admin.

Affects Plugins

Fixed in 2.4.1

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

822cac2c-decd-4aa4-9e8e-1ba2d0c080ce

Timeline

Publicly Published

2022-03-29 (about 2 years ago)

Added

2022-03-29 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2021-05-07

Title

Leads-5050 Visitor Insights < 1.1.0 - Unauthorised License Change

Published

2020-10-16

Title

TI WooCommerce Wishlist - Authenticated WP Options Change

Published

2021-06-14

Title

BCS BatchLine Book Importer < 1.5.8 - Unauthenticated Product Import

Published

2024-02-06

Title

Customer Reviews for WooCommerce < 5.39.0 - Improper Authorization via submit_review

Published

2021-07-07

Title

WP Upload Restriction < 2.2.5 - Missing Access Control in getSelectedMimeTypesByRole