WordPress 3D Viewer Plugin Authorization Bypass Vulnerability Allowing Arbitrary Settings Modification

A vulnerability exists in the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress, affecting all versions through 2.0.1. The issue stems from the plugin's failure to properly verify user authorization, enabling authenticated users with subscriber-level access and above to bypass restrictions. Exploitation of this vulnerability allows for unauthorized modification of plugin settings by writing arbitrary data to the 'ar_try_on_settings' option in the database. This is achieved through the '/wp-json/ar_try_on/v1/settings' REST endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings, potentially allowing for further exploitation or misuse of the plugin's functionality.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a POST request to the '/wp-json/ar_try_on/v1/settings' REST endpoint. The request must include the 'fields' parameter, which can be crafted to include any desired changes to the 'ar_try_on_settings' option. Once the request is processed, the specified changes will be applied, demonstrating the authorization bypass and arbitrary settings modification.

Remediation

Users are advised to update the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin to version 2.0.2 or a newer patched version.