2J SlideShow < 1.3.40 - Authenticated Arbitrary Plugin Deactivation



Description
Lack of authorisation checks in the twoj_slideshow_setup() function registered as an AJAX call could allow authenticated users with low privileges to deactivate arbitrary plugins.

Affects Plugin

fixed in version 1.3.40

References

URL https://blog.nintechnet.com/wordpress-2j-slideshow-plugin-fixed-authenticated-arbitrary-plugin-deactivation-vulnerability/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Jerome Bruandet (nintechnet.com)
Views 3475
Verified No
WPVDB ID 10034

Timeline

Publicly Published 2020-01-20 (3 months ago)
Added 2020-01-20 (3 months ago)
Last Updated 2020-01-21 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin