High severity vulnerability in WordPress Deeper Comments plugin (unpatched).

The WordPress Deeper Comments plugin v2.1.1 is prone to an unpatched broken access control vulnerability that could allow full site takeover.

Authenticated Arbitrary WordPress Options Change

CVSS v3.1: 8.8 (High)

public function update_options() {


   // check nonce
   check_ajax_referer( 'dpr_admin_nonce', 'security' );
   $old_opts = get_option( $_POST['form'][0]['value'] );
   $new_opts = array();
   // get options after save action
   for ( $i=0; $i < 1 ; $i++ ) {
      for ( $j=0; $j < sizeof( $_POST['form'] ); $j++ ) {

         // get opts names
         if ( $j > 3 ) {

            $key = $this->find_string( $_POST['form'][$j]['name'], '[', ']' );
            $val = $_POST['form'][$j]['value'];
            if(isset( $new_opts[$key] )) {
               if(!is_array($new_opts[$key])) {
                  $_val = $new_opts[$key];
                  $new_opts[$key] = [];
                  $new_opts[$key][$val] = $_val;
               }
               $new_opts[$key][$val] = $val;
            } else {
               $new_opts[$key] = $val;
            }
   
         }

      }

   }

   // replace new value with old value
   if ( is_array( $old_opts ) ) {

      $basket = array_merge( $old_opts, $new_opts );

   } else {

      $basket = $new_opts;

   }

   // update dpr options
   update_option( $_POST['form'][0]['value'], $basket );
   
   wp_send_json_success();
   wp_die();

}

In the “deeper-comments/models/admin/depc-model-admin-settings.php” script, the wp_ajax_update_options AJAX endpoint loads the update_options method. That method lacks a capability check to make sure only an administrator can access it. It has a nonce (dpr_admin_nonce) but it leaks in the WordPress admin dashboard to any logged-in users because it is loaded via the admin_enqueue_scripts hook.
A low privileged user such as a subscriber can interact with that function in order to modify the user_roles option in the WordPress options table and assign high privileged capabilities to themselves (manage_options, install_plugins, upload_files, edit_users etc) in order to take over the website.
They can also modify the plugin’s settings and several other WordPress options in the database.

Timeline

The vulnerability was reported to the developers on June 23, 2023, but no security patch has been released in the past 4 months.
Users of our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), are protected against this vulnerability.

Stay informed about the latest vulnerabilities