Form Lightbox - Arbitrary Option Update Leading to Admin Account



Description
This is a plugin that is no longer in the WordPress repository, however, is still in use on some sites. With this vulnerability an attacker can update any option in the WordPress database. This includes gaining an admin access.
Proof of Concept
Using the file ajax.php that contains the following line: update_option( $_POST['update'], $_POST['value']); an attacker can change the admin email option and ask for a lost password and create an admin account.

Affects Plugin

References

URL https://github.com/mart123p/wordpress-form-lightbox/commit/86419ffb5d847b47386049145fe0cbd4b0e93b23
URL http://www.myphpmaster.com/form-lightbox/

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Submitter Martin Pouliot
Views 5871
Verified No
WPVDB ID 8557

Timeline

Publicly Published 2016-07-19 (about 3 years ago)
Added 2016-07-19 (about 3 years ago)
Last Updated 2016-07-19 (about 3 years ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin