WordPress Plugin Vulnerabilities

WP Dependency Installer < 4.3.1 - Subscriber+ Arbitrary Plugin Activation

Description

The wp-dependency-installer library, used in the plugins does not have authorisation and CSRF checks in its dependency_installer AJAX action with the activate method, allowing any authenticated users, such as subscriber to activate arbitrary plugin installed on the blog. Furthermore, despite having a capability check, the install method was missing any CSRF which could allow attackers to make a logged in admin install plugins defined in the wp-dependencies.json via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
classic-editor-addon
Fixed in 2.6.4
Plugin icon
wp-debugging
Fixed in 2.11.7
Plugin icon
lean-wp
No known fix

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jan w Oleju
Submitter
Jan w Oleju
Verified
Yes
WPVDB ID
939b6f2f-1e62-4a32-bcb7-2e0a340f6cc6

Timeline

Publicly Published
2022-01-24 (about 4 years ago)
Added
2022-01-24 (about 4 years ago)
Last Updated
2022-01-24 (about 4 years ago)

Other

Published
Title
Published
2024-02-16
Title
WP Maintenance < 6.1.7 - Information Exposure
Published
2022-12-28
Title
Optimize images ALT Text (alt tag) & names for SEO using AI < 2.0.8 - Settings Update via CSRF
Published
2022-03-28
Title
Shopping Cart & eCommerce Store < 5.2.5 - Arbitrary Design Settings Update via CSRF
Published
2024-02-19
Title
WPify Woo Czech < 4.0.9 - Missing Authorization
Published
2019-07-10
Title
WP-GraphQL < 0.3.5 - Improper Access Control