Hybrid Composer <= 1.4.6 - Unauthenticated Options Update



Description
This plugin has a function to update Wordpress options via Ajax and it's set with the following:
add_action('wp_ajax_nopriv_hc_ajax_save_option', 'hc_ajax_save_option');

Which means it does not require authentication and is exploitable by anyone on the internet.

I've already spoken to the plugin author about this and he has patched the plugin and notified his users.

http://wordpress.framework-y.com/hybrid-composer/
Proof of Concept The PoC will be displayed on July 26, 2019, to give users the time to update.

Affects Plugin

fixed in version 1.4.7

References

URL https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/

Classification

Type BYPASS

Miscellaneous

Original Researcher rootetsy
Submitter Brad Patton
Submitter Website https://rootetsy.com
Views 1161
Verified Yes
WPVDB ID 9452

Timeline

Publicly Published 2019-07-10 (14 days ago)
Added 2019-07-12 (11 days ago)
Last Updated 2019-07-16 (7 days ago)