Restaurant Cafeteria WordPress Theme Arbitrary Plugin Installation Vulnerability

A vulnerability in the Restaurant Cafeteria WordPress theme, affecting versions through 0.4.6, allows any logged-in user, including subscribers, to execute privileged actions. The theme's admin-ajax actions lack proper nonce and capability checks, enabling unauthorized users to install and activate plugins from external URLs, potentially leading to arbitrary PHP code execution. Additionally, the vulnerability allows for the import of demo content that can overwrite various site settings and configurations.

Impact

Exploitation of this vulnerability could result in unauthorized plugin installations, activation of malicious code, and disruptive changes to the site's content and configuration.

Reproduction

To reproduce this vulnerability, a logged-in user (with no special capabilities required) can send a request to 'wp-admin/admin-ajax.php' without the necessary nonce or capability checks. The request must include the 'action' parameter set to 'restaurant_cafeteria_install_and_activate_plugin', along with details about the plugin to be installed, such as its text domain, main file, and a URL to a ZIP file containing the plugin. Once the request is processed, the specified plugin will be downloaded, extracted, and activated, executing any included PHP code. Alternatively, the 'import_theme_mods' action can be used to import demo content that modifies the site's configuration, including theme settings, pages, menus, and front page options.