Doppler Forms WordPress Plugin Missing Authorization Vulnerability on AJAX Action
Vulnerability
A vulnerability exists in the Doppler Forms WordPress plugin in versions prior to 2.6.0. The plugin registers an AJAX action called 'install_extension' without proper user capability verification or nonce validation. This oversight allows any authenticated user, including those with the Subscriber role, to install and activate additional plugins through Doppler Forms, limited to those whitelisted by the main plugin.
Impact
Exploitation of this vulnerability allows for unauthorized installation and activation of plugins, which could lead to further security issues, depending on the capabilities of the installed plugins.
Reproduction
To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the 'action' parameter set to 'install_extension' and the 'extensionName' parameter set to the slug of a whitelisted plugin, such as 'doppler-for-woocommerce'. Include a cookie for an authenticated user with Subscriber role.
Remediation
Users are advised to update the Doppler Forms WordPress plugin to version 2.6.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.