Punnel Landing Page Builder WordPress Plugin Missing Authorization Vulnerability

A missing authorization vulnerability has been identified in the Punnel – Landing Page Builder plugin for WordPress, affecting all versions through 1.3.1. The vulnerability arises because the save_config() function, which processes the 'punnel_save_config' AJAX action, does not include any capability checks or nonce verification. This oversight allows authenticated attackers with Subscriber-level access and above to overwrite the plugin's entire configuration, including the API key, by sending a POST request to admin-ajax.php. Once the API key is obtained, the attacker can use the plugin's public API endpoint to create, update, or delete arbitrary posts, pages, and products on the site.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the plugin's settings, including the API key, which can then be used to manipulate content on the site through the plugin's API.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to admin-ajax.php with the 'punnel_save_config' action. The request must include the new configuration data, which can overwrite existing settings, including the API key. After updating the API key, the same user can make requests to the plugin's public API endpoint to modify or delete content on the site.