WordPress Property Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Property plugin for WordPress, affecting versions 1.0.5 to 1.0.6. The issue arises from a missing capability check on the property_package_user_role metadata, allowing authenticated attackers with Author-level access or higher to elevate their privileges to that of an administrator. This is achieved by creating a package post with the property_package_user_role set to administrator and submitting the PayPal registration form.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, granting an authenticated user with Author-level access the rights of an administrator.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access must create a package post and set the property_package_user_role metadata to 'administrator'. After publishing the post, the user can submit the PayPal registration form, which will trigger the privilege escalation.

Remediation

Users are advised to update the Property plugin to version 1.0.7 or later, where this vulnerability has been patched.