High severity vulnerability in WordPress Deeper Comments plugin (unpatched).

The WordPress Deeper Comments plugin v2.1.1 is prone to an unpatched broken access control vulnerability that could allow full site takeover.

Authenticated Arbitrary WordPress Options Change

CVSS v3.1: 8.8 (High)

  1. public function update_options() {
  2.  
  3.  
  4.    // check nonce
  5.    check_ajax_referer( 'dpr_admin_nonce', 'security' );
  6.    $old_opts = get_option( $_POST['form'][0]['value'] );
  7.    $new_opts = array();
  8.    // get options after save action
  9.    for ( $i=0; $i < 1 ; $i++ ) {
  10.       for ( $j=0; $j < sizeof( $_POST['form'] ); $j++ ) {
  11.  
  12.          // get opts names
  13.          if ( $j > 3 ) {
  14.  
  15.             $key = $this->find_string( $_POST['form'][$j]['name'], '[', ']' );
  16.             $val = $_POST['form'][$j]['value'];
  17.             if(isset( $new_opts[$key] )) {
  18.                if(!is_array($new_opts[$key])) {
  19.                   $_val = $new_opts[$key];
  20.                   $new_opts[$key] = [];
  21.                   $new_opts[$key][$val] = $_val;
  22.                }
  23.                $new_opts[$key][$val] = $val;
  24.             } else {
  25.                $new_opts[$key] = $val;
  26.             }
  27.    
  28.          }
  29.  
  30.       }
  31.  
  32.    }
  33.  
  34.    // replace new value with old value
  35.    if ( is_array( $old_opts ) ) {
  36.  
  37.       $basket = array_merge( $old_opts, $new_opts );
  38.  
  39.    } else {
  40.  
  41.       $basket = $new_opts;
  42.  
  43.    }
  44.  
  45.    // update dpr options
  46.    update_option( $_POST['form'][0]['value'], $basket );
  47.    
  48.    wp_send_json_success();
  49.    wp_die();
  50.  
  51. }

In the “deeper-comments/models/admin/depc-model-admin-settings.php” script, the wp_ajax_update_options AJAX endpoint loads the update_options method. That method lacks a capability check to make sure only an administrator can access it. It has a nonce (dpr_admin_nonce) but it leaks in the WordPress admin dashboard to any logged-in users because it is loaded via the admin_enqueue_scripts hook.
A low privileged user such as a subscriber can interact with that function in order to modify the user_roles option in the WordPress options table and assign high privileged capabilities to themselves (manage_options, install_plugins, upload_files, edit_users etc) in order to take over the website.
They can also modify the plugin’s settings and several other WordPress options in the database.

Timeline

The vulnerability was reported to the developers on June 23, 2023, but no security patch has been released in the past 4 months.
Users of our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), are protected against this vulnerability.

Stay informed about the latest vulnerabilities