Frontend Dashboard Privilege Escalation Vulnerability in WordPress

A privilege escalation vulnerability has been identified in the Frontend Dashboard plugin for WordPress, affecting versions 1.0 to 2.2.7. The issue arises from a missing capability check in the ajax_request() function, allowing authenticated attackers with Subscriber-level access and above to manipulate the plugin's email-sending functionality. By redirecting SMTP traffic to their own server, these attackers could intercept password reset emails intended for administrators, potentially leading to unauthorized access and full control over the site.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling attackers to gain administrative rights by intercepting and manipulating password reset emails.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access must send a request to the ajax_request() function of the Frontend Dashboard plugin. This request can be made through the WordPress admin interface or by using a tool that simulates AJAX requests. The absence of a proper capability check allows the user to control the destination of outgoing emails, including those related to password resets.

Remediation

Users are advised to update the Frontend Dashboard plugin to version 2.2.8 or later, where this vulnerability has been fixed.