Bonanza WooCommerce Free Gifts Lite Missing Authorization Vulnerability

A vulnerability exists in the Bonanza – WooCommerce Free Gifts Lite plugin for WordPress, all versions through 1.0.0. The issue arises from a lack of proper capability checks in the xlo_optin_call() function, allowing authenticated attackers with Subscriber-level access or higher to unauthorizedly modify data by changing the opt-in status to 'success'.

Impact

Exploitation of this vulnerability allows for unauthorized data modification, specifically enabling attackers to falsely indicate opt-in success.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site with the 'wp_ajax_xlo_optin_call' action. The request must include the 'status' parameter set to 'yes', which will trigger the plugin to update the opt-in status to 'success'.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.