WordPress Lead Form Data Collection to CRM Plugin Privilege Escalation Vulnerability

A vulnerability in the Lead Form Data Collection to CRM plugin for WordPress, affecting versions through 3.1, allows authenticated users with Subscriber-level access and above to bypass authorization and modify arbitrary data. The issue arises from a missing capability check in the 'doFieldAjaxAction()' function, enabling unauthorized changes to WordPress options. This vulnerability can be exploited to elevate the default user role for new registrations to administrator, potentially granting administrative access to the site. Additionally, other AJAX actions related to plugin settings are similarly vulnerable.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in user roles, allowing attackers to gain administrative access on the affected WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'doFieldAjaxAction()' function via AJAX. The request must include the 'crmtype', 'module', 'option', and 'onAction' parameters. Once the request is processed, the user role for new registrations can be changed to administrator, granting admin rights to the user.

Remediation

Users are advised to update the plugin to version 3.2 or later, where this vulnerability has been patched.