Location Weather WordPress Plugin Missing Authorization Vulnerability in Block Settings and Cache Management

A vulnerability exists in the Location Weather plugin for WordPress, specifically in versions through 3.0.2. The issue arises from inadequate capability checks in the 'splw_update_block_options()' and 'lwp_clean_weather_transients()' functions. This flaw allows authenticated attackers with Contributor-level access and above to disable all weather blocks and clear all weather cache transients. The nonce required for these actions is accessible to all authenticated users via 'wp_localize_script()' on the 'init' hook.

Impact

Exploitation of this vulnerability allows for unauthorized modification of block settings and cache management, specifically disabling weather blocks and purging weather-related cache transients.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send an AJAX request to 'wp_ajax_splw_update_block_options' or 'wp_ajax_lwp_clean_weather_transients'. These requests can include the nonce 'splw_admin_settings_nonce', which is exposed to all authenticated users.

Remediation

Users are advised to update the Location Weather plugin to version 3.0.3 or a newer patched version.