Gallery Blocks with Lightbox WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Options Update

A vulnerability exists in the Gallery Blocks with Lightbox WordPress plugin in versions prior to 3.0.8. The issue arises from an AJAX endpoint accessible to all authenticated users, including subscribers. This endpoint's callback function permits various actions, with the most critical being the ability to read and modify WordPress options. Exploiting this could enable registration of users with a default administrator role.

Impact

Exploitation of this vulnerability allows authenticated users, such as subscribers, to arbitrarily modify WordPress options. This could be used to change settings related to user registration, potentially allowing the creation of new administrator accounts.

Reproduction

To reproduce this vulnerability, log into a WordPress site as a subscriber and navigate to the welcome page of the Gallery Blocks with Lightbox plugin. Open the browser's developer console and send a POST request to the admin-ajax.php file. Include the action parameter set to 'pgc_sgb_action_wizard', the nonce from the plugin's welcome page, and a props parameter containing a JSON string that specifies the options to be updated, such as enabling user registration and setting the default role to administrator.

Remediation

Users are advised to update the Gallery Blocks with Lightbox WordPress plugin to version 3.0.8 or later.