Form Lightbox - Arbitrary Option Update Leading to Admin Account

Description

This is a plugin that is no longer in the WordPress repository, however, is still in use on some sites. With this vulnerability an attacker can update any option in the WordPress database. This includes gaining an admin access.

Proof of Concept

Using the file ajax.php that contains the following line: update_option( $_POST['update'], $_POST['value']); an attacker can change the admin email option and ask for a lost password and create an admin account.

Affects Plugin

form-lightbox

References

URL	https://github.com/mart123p/wordpress-form-lightbox/commit/86419ffb5d847b47386049145fe0cbd4b0e93b23
URL	http://www.myphpmaster.com/form-lightbox/

Classification

Type	AUTHBYPASS
OWASP Top 10	A2: Broken Authentication and Session Management
CWE	CWE-287

Miscellaneous

Submitter	Martin Pouliot
Views	5871
Verified	No
WPVDB ID	8557

Timeline

Publicly Published	2016-07-19 (about 3 years ago)
Added	2016-07-19 (about 3 years ago)
Last Updated	2016-07-19 (about 3 years ago)

Our Other Services

Online WordPress Vulnerability Scanner

WPScan WordPress Security Plugin