Linksy Search and Replace WordPress Plugin Missing Authorization Vulnerability Allows Privilege Escalation

A vulnerability exists in the Linksy Search and Replace plugin for WordPress, in all versions through 1.0.4. The issue arises from a lack of proper capability checks in the 'linksy_search_and_replace_item_details' function. This flaw enables authenticated attackers with subscriber-level access or higher to arbitrarily modify any database table. Notably, attackers can alter the 'wp_capabilities' field to change their role to administrator, leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows for arbitrary database modifications, including changes to user roles, which can be abused for privilege escalation.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the 'linksy_search_and_replace_item_details' function without the necessary capability checks. This can be done by manipulating the request to include the desired database modifications, such as changing values in any database table or altering the 'wp_capabilities' field to escalate privileges to an administrator role.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.