Ultimate WordPress Toolkit WP Extended Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the Ultimate WordPress Toolkit - WP Extended plugin, specifically in version 3.0.11. The issue arises from a lack of proper capability checks in the 'wpext_handle_snippet_update' function. This vulnerability allows authenticated attackers with Subscriber-level access and above to execute arbitrary code on the server, provided that an admin has created at least one code snippet.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wpext_update_snippet_status' AJAX action. This request must include the 'wpext_snippet_nonce' for verification, as well as the 'snippet_id' and 'snippet_name' parameters. The 'snippet_code' parameter can be used to inject malicious PHP code, which will be executed on the server.

Remediation

Users are advised to update the Ultimate WordPress Toolkit - WP Extended plugin to version 3.0.12 or later.