Quote Comments WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Settings Updates
Vulnerability
A missing authorization vulnerability has been identified in the Quote Comments plugin for WordPress, affecting all versions up to and including 3.0.0. The issue arises from inadequate authorization checks in the 'quotecomments_add_admin' function, allowing authenticated attackers with Subscriber-level access or higher to modify arbitrary plugin options using the 'action' parameter.
Impact
Exploitation of this vulnerability could lead to unauthorized users modifying plugin settings, potentially causing disruption or misuse of the plugin's functionality.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site with the 'action' parameter set to 'save'. This request will bypass authorization checks and allow the user to update any plugin option.
Remediation
No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.