CVE-2021-25032
PublishPress Capabilities < 2.3.1 - Unauthenticated Arbitrary Options Update to Blog Compromise
In short
The PublishPress Capabilities plugin before version 2.3.1 allows anyone, even without logging in, to change important website settings like user roles through a missing security check. An attacker could make new users administrators and take over the blog.
Technical detail
An unauthenticated attacker can exploit a missing CSRF token validation and authorization check in the plugin's init hook to update arbitrary WordPress options via a crafted request. By modifying the default user role option, an attacker can escalate privileges of newly registered users to administrator, leading to complete blog compromise.
Summary generated and translated by AI from the official description.
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
Affected products
Unknown · PublishPress Capabilities ProUnknown · PublishPress Capabilities – User Role Access, Editor Permissions, Admin MenusWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →