CalJ WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Settings Modification

A missing authorization vulnerability has been identified in the CalJ plugin for WordPress, affecting all versions through 1.5. The issue arises from a lack of capability checks in the CalJSettingsPage class constructor, which handles the 'save-obtained-key' operation from POST data without verifying if the user has the 'manage_options' capability or including nonce verification. This vulnerability allows authenticated users with Subscriber-level access and above to alter the plugin's API key settings and clear the Shabbat cache, thereby gaining control over the plugin's API integration.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to modify the plugin's API key settings and clear the Shabbat cache, disrupting the plugin's functionality and API integration.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the WordPress admin area (including admin-ajax.php) without the necessary capability or nonce verification. The request must include the 'calj-op' parameter set to 'save-obtained-key' and the 'calj-key' parameter with the desired API key value. Once the request is processed, the API key will be updated in the plugin settings, and the cache will be cleared.