PZ Frontend Manager Missing Authorization Vulnerability Allowing Arbitrary User Deletion

A vulnerability exists in the PZ Frontend Manager plugin for WordPress, affecting all versions up to and including 1.0.6. The issue stems from missing authorization in the 'pzfm_user_request_action_callback' function, which is linked to the 'wp_ajax_pzfm_user_request_action' hook. This function manages user activation, deactivation, and deletion but fails to implement necessary capability checks and nonce verification. When the 'dataType' parameter is set to 'delete', the function deletes users based on the provided user IDs without confirming if the current user has the right permissions. This oversight allows authenticated attackers with Subscriber-level access or higher to delete any WordPress user, including administrators, by sending a tailored request to the AJAX endpoint.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of WordPress users, including those with administrative privileges.

Reproduction

To reproduce this vulnerability, send a request to the 'wp_ajax_pzfm_user_request_action' AJAX endpoint. Include the 'dataType' parameter set to 'delete' and the 'dataID' parameter with the IDs of the users to be deleted. The request can be made using a tool like Postman or through custom JavaScript that interacts with the WordPress AJAX API. Ensure that the request is sent by a user with Subscriber-level access or higher.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.