Form Lightbox - Arbitrary Option Update Leading to Admin Account

Description

This is a plugin that is no longer in the WordPress repository, however, is still in use on some sites. With this vulnerability an attacker can update any option in the WordPress database. This includes gaining an admin access.

Proof of Concept

Using the file ajax.php that contains the following line: update_option( $_POST['update'], $_POST['value']); an attacker can change the admin email option and ask for a lost password and create an admin account.

Affects Plugin

form-lightbox

References

URL	https://github.com/mart123p/wordpress-form-lightbox/commit/86419ffb5d847b47386049145fe0cbd4b0e93b23
URL	http://www.myphpmaster.com/form-lightbox/

Classification

Type	AUTHBYPASS
OWASP Top 10	A2: Broken Authentication and Session Management
CWE	CWE-287

Miscellaneous

Submitter	Martin Pouliot
Views	2762
Verified	No
WPVDB ID	8557

Timeline

Publicly Published	2016-07-19 (almost 3 years ago)
Added	2016-07-19 (over 2 years ago)
Last Updated	2016-07-19 (over 2 years ago)

Copyright & License

Copyright	All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License	Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.