Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update

Description The plugin does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string “true”, which could lead to a variety of outcomes, including DoS.

PoC

Once the site gets at least 25 conversions using the plugin, a notice will show up on the administration panel, to all logged-in users regardless of their roles. By clicking on “Dismiss” button the fca_eoi_dismiss AJAX Action is invoked with two parameters: nonce and option. The option parameter is not sanitized before used in this line of code: # campaign-monitor-wp/includes/eoi-post-types.php 1938┆ if ( update_option( $option, 'true' ) ) { Since there are no additional privilege checks in the AJAX action’s callback function, this means an attacker with Subscriber+ role can actually set any WordPress options with the value true. The possibility to use only the true value limits the possibility to perform standard attacks like modifying site URL, default role for new users, and so on, but it is easy to use to create a denial of service by overwriting plugins’/themes’ or WordPress’ own options. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 69 Cookie: action=fca_eoi_dismiss&option;=&nonce;=