WordPress 2J SlideShow plugin fixed authenticated arbitrary plugin deactivation vulnerability.

The WordPress 2J SlideShow plugin (3,000+ active installations) fixed a vulnerability in version 1.3.31 and below that could allow an authenticated user to deactivate any plugins on the blog.

Authenticated Plugin Deactivation

In the “2j-slideshow/inc/addons/setup/setup.class.php” script, the plugin loads the twoj_slideshow_setup function via the WordPress AJAX API:

add_action('wp_ajax_twoj_slideshow_setup', array($this, 'twoj_slideshow_setup') );
...
...
public function twoj_slideshow_setup(){
   if( isset( $_POST['plugin'] ) )
      deactivate_plugins( $_POST['plugin'] );
...
...

It takes the $_POST['plugin'] user input and pass it to the WordPress deactivate_plugins function without checking the user capabilities, hence allowing an authenticated user such as a subscriber to deactivate any plugins on the blog.

Timeline

The vulnerability was reported to the wordpress.org team on December 09, 2019.

Recommendations

Update as soon as possible if you have version 1.3.31 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet