Form Lightbox – Arbitrary Option Update Leading to Admin Account | Plugin Vulnerabilities

Description

This is a plugin that is no longer in the WordPress repository, however, is still in use on some sites. With this vulnerability an attacker can update any option in the WordPress database. This includes gaining an admin access.

Proof of Concept

Using the file ajax.php that contains the following line: update_option( $_POST['update'], $_POST['value']); an attacker can change the admin email option and ask for a lost password and create an admin account.

Affects Plugins

No known fix

References

URL

https://github.com/mart123p/wordpress-form-lightbox/commit/86419ffb5d847b47386049145fe0cbd4b0e93b23

URL

http://www.myphpmaster.com/form-lightbox/

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Submitter

Martin Pouliot

Verified

No

WPVDB ID

9c21a535-7aaf-460d-8369-d8867bc47115

Timeline

Publicly Published

2016-07-19 (about 9 years ago)

Added

2016-07-19 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2025-04-03

Title

Booking Calendar and Notification <= 4.0.3 - Authentication Bypass

Published

2020-03-31

Title

Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation

Published

2014-08-01

Title

Spam Free Plugin 1.9.2 - IP Blocklist Restriction Bypass

Published

2025-03-04

Title

WP Real Estate Manager <= 2.8 - Authentication Bypass

Published

2021-08-24

Title

Booster for WooCommerce < 5.4.4 - Authentication Bypass