Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update

2023-10-0900:00:00

Unlock Security

campaign monitor forms

arbitrary options update

ajax action

wordpress options

denial of service

security exploit

7.1 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

16.2%

JSON

Description The plugin does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string “true”, which could lead to a variety of outcomes, including DoS.

Once the site gets at least 25 conversions using the plugin, a notice will show up on the administration panel, to all logged-in users regardless of their roles. 

By clicking on "Dismiss" button the `fca_eoi_dismiss` AJAX Action is invoked with two parameters: `nonce` and `option`.

The `option` parameter is not sanitized before used in this line of code:

```
# campaign-monitor-wp/includes/eoi-post-types.php
1938┆ if ( update_option( $option, 'true' ) ) {
```

Since there are no additional privilege checks in the AJAX action's callback function, this means an attacker with Subscriber+ role can actually set any WordPress options with the value `true`.

The possibility to use only the `true` value limits the possibility to perform standard attacks like modifying site URL, default role for new users, and so on, but it is easy to use to create a denial of service by overwriting plugins'/themes' or WordPress' own options.

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Cookie:  <YOUR AUTHOR+ COOKIES>

action=fca_eoi_dismiss&option=<THE OPTION YOU WANT TO SET TO TRUE>&nonce=<YOUR NONCE>