CVE-2019-25738

Vulnerability

The WordPress Hybrid Composer plugin, specifically version 1.4.6 and earlier, contains a vulnerability in the hc_ajax_save_option action. This function, which is accessible without authentication, allows for arbitrary modification of WordPress options by directly using user-supplied option_name and content parameters with the update_option() function [3], [4].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a POST request to the admin-ajax.php endpoint. The request must include the action parameter set to hc_ajax_save_option, along with the desired option_name and content to be saved. This allows the attacker to directly manipulate WordPress settings without any form of authentication [3], [4].

Impact

Successful exploitation allows an attacker to modify critical WordPress options. This can include enabling user registration and setting the default user role to 'administrator'. This effectively enables account takeover by allowing attackers to create new administrative accounts or potentially escalate privileges if other options are manipulated [3], [4].

Mitigation

This vulnerability was patched in a recent update. Users are strongly encouraged to update their Hybrid Composer plugin to a version later than 1.4.6. The specific patched version and release date are not detailed in the available references [3], [4].