DELUCKS SEO [Unauthenticated Options Update]
Plugin DELUCKS SEO doesn’t implement security settings when saving options.
Upon plugin initialization (in each request), it uses the
function to define if the current request is from a site administrator.
is_admin() returns true (which will do for every request to
wp-admin path, even non authenticated), calls the method
DPC::saveSettings(). The latest performs no security checks at all
before saving various options in DB.
In addition the options are defined dynamically from the POST request, allowing anyone to use a specially crafted POST request to update even core options.
In this proof of concept we change two core options that will open registrations and anyone who registers will be an administrator.
curl 'http://sbwp1.dev/wp-admin/index.php' \ -d 'dpc_save_settings=1&dpc[realnames][users_can_register]=1&dpc[realnames][default_role]=administrator'