WordPress Plugin Vulnerabilities

One Click SSL <= 1.4.6 - Multiple Issues

Description

Lack of CSRF and authorisation checks in the settings page, as well as AJAX methods such as ajax_enable_ssl(), ajax_scan() and so on could allow unauthorised settings change as well as call of the AJAX methods by a low privileged user.

Additionally, it could also allow arbitrary site options update due to the way the update_option() and update_site_option() are used in the admin() and admin_network() functions.

Proof of Concept

Affects Plugins

Plugin icon
one-click-ssl
Fixed in 1.4.7

References

CVE
CVE-2019-15828
URL
https://plugins.trac.wordpress.org/changeset/2121510

Miscellaneous

Verified
Yes
WPVDB ID
f03156d3-0b6a-4fa6-a2b0-7218f3ba40a4

Timeline

Publicly Published
2019-07-11 (about 6 years ago)
Added
2019-07-11 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2019-08-02
Title
Woody Ad Snippets < 2.2.5 - Multiple issues leading to RCE
Published
2015-09-01
Title
Testimonial Slider < 1.3.2 - Authenticated Stored Cross-Site Scripting (XSS) & CSRF
Published
2016-11-15
Title
NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion (LFI) & SQLi
Published
2015-04-29
Title
TheCartPress < 1.3.9.3 - Multiple Vulnerabilities
Published
2016-08-01
Title
WP Database Backup < 4.3.1 - CSRF & XSS