The WordPress 10Web AI Assistant – AI content writing assistant plugin version 1.0.18 and below was prone to a broken access control vulnerability that could allow authenticated users to install plugins.
Authenticated Arbitrary Plugin Installation
CVSS v3.1: 6.3 (Medium)
In the “ai-assistant-by-10web.php” script, the wp_ajax_install_plugin hook loads the install_plugin function. That function doesn’t verify the capabilities of the user but, instead, only relies on the REST_NONCE_ACTION nonce. However, that nonce is accessible to all logged in users because it is loaded via the admin_enqueue_scripts hook. Therefore, an authenticated user such as a subscriber can install and activate any plugin from the WordPress repo.
Recommendations
Update immediately if you have version 1.0.18 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Timeline
The vulnerability was reported to the developers on June 24, 2024, and a new version 1.0.19 was released on June 25, 2024.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet