Offsprout Page Builder Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Offsprout Page Builder plugin for WordPress, affecting versions 2.2.1 through 2.15.2. The issue arises from improper authorization in the permission_callback function, allowing authenticated attackers with Contributor-level access or higher to read, create, update, or delete any user meta. This includes the ability to change their own wp_capabilities to administrator, thereby fully escalating privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling users to gain administrative rights.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access can use the WordPress REST API to send requests that manipulate user meta data. This can be done by targeting the 'usermeta' endpoint with the appropriate parameters to read, create, update, or delete user meta information. By specifically altering the 'wp_capabilities' meta key, a user can escalate their privileges to that of an administrator.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.