2J SlideShow < 1.3.40 - Authenticated Arbitrary Plugin Deactivation

Description

Lack of authorisation checks in the twoj_slideshow_setup() function registered as an AJAX call could allow authenticated users with low privileges to deactivate arbitrary plugins.

Affects Plugins

2j-slideshow

Fixed in version 1.3.40✓

References

URL

https://blog.nintechnet.com/wordpress-2j-slideshow-plugin-fixed-authenticated-arbitrary-plugin-deactivation-vulnerability/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

Miscellaneous

Original Researcher

Jerome Bruandet (nintechnet.com)

Verified

WPVDB ID

98d937b6-a149-461d-ab33-2d5af0554cb0

Timeline

Publicly Published

2020-01-20 (about 2 years ago)

Added

2020-01-20 (about 2 years ago)

Last Updated

2020-01-21 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin