WordPress Plugin Vulnerabilities

Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover

Description

The plugin injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flo_custom_table_prefix cookie to an arbitrary value.

Proof of Concept

On any website where flo-launch is active create cookie "flo_custom_table_prefix" with any string value to initiate new WordPress instance setup.

Complete setup and login as admin.

Affects Plugins

Plugin icon
flo-launch
Fixed in 2.4.1

References

CVE
CVE-2022-0541

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
822cac2c-decd-4aa4-9e8e-1ba2d0c080ce

Timeline

Publicly Published
2022-03-29 (about 1 years ago)
Added
2022-03-29 (about 1 years ago)
Last Updated
2022-04-11 (about 1 years ago)

Other

Published
Title
Published
2022-06-28
Title
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
Published
2021-09-21
Title
WP Mega Menu < 1.4.0 - Unauthenticated Arbitrary Post Access
Published
2021-10-19
Title
Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation
Published
2021-08-02
Title
WP LMS < 1.1.5 - Unauthenticated Arbitrary User Field Edition/Creation
Published
2021-05-26
Title
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Activation