Shopper Approved Reviews WordPress Plugin Missing Authorization Vulnerability in Versions 2.0 to 2.1
Vulnerability
A vulnerability exists in the Shopper Approved Reviews plugin for WordPress, specifically in versions 2.0 to 2.1. The issue arises from a missing capability check in the 'ajax_callback_update_sa_option()' function, allowing authenticated attackers with Subscriber-level access and above to arbitrarily update options on the WordPress site. This vulnerability could be exploited to change the default role for new users to administrator and enable user registration, potentially giving attackers administrative access on the site.
Impact
Exploitation of this vulnerability could lead to unauthorized changes in user roles, allowing attackers to gain administrative privileges on the affected WordPress site.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send an AJAX request to the 'update_sa_option' endpoint. The request must include a valid nonce for verification. Once the request is processed, the user can update arbitrary options, such as changing the default role for new users to administrator.
Remediation
Users are advised to update the Shopper Approved Reviews plugin to version 2.2 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.