The WordPress CartFlows plugin, which has 30,000+ active installations, fixed a privilege escalation vulnerability affecting version 1.3.0 and below.
Reference
A CVE ID has been requested and we’ll update this post when it is assigned.
Authenticated Plugin Activation
In the “classes/class-cartflows-importer.php” script, the plugin registers the cartflows_activate_plugin hook inside the __construct method:
add_action( 'wp_ajax_cartflows_activate_plugin', array( $this, 'activate_plugin' ) );
The activate_plugin function is located line 1639:
/**
* Ajax action to activate plugin
*/
public function activate_plugin() {
$plugin_init = isset( $_POST['plugin_init'] ) ? sanitize_text_field( $_POST['plugin_init'] ) : '';
$activate = activate_plugin( $plugin_init, '', false, true );
...
...
Because the function doesn’t check the user capabilities and lacks a security nonce, an authenticated user such as a subscriber could activate any plugin on the blog.
Timeline
The vulnerability was reported to the authors on November 04, 2019 and a new version 1.3.1 was released on November 06, 2019.
Recommendations
Update as soon as possible if you have version 1.3.0 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet