Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion

Vulnerability

The Product Slider for WooCommerce plugin for WordPress versions before 2.5.7 contains flawed CSRF checks and lacks authorization in some AJAX actions. Specifically, one AJAX action allows deletion of arbitrary blog options. The vulnerability is present in versions prior to 2.5.7, and any authenticated user, including subscribers, can trigger the action due to missing capability checks [1].

Exploitation

An attacker can exploit this vulnerability simply by being an authenticated user with a subscriber role or higher. No additional privileges are required. The attacker can directly call the vulnerable AJAX action to delete arbitrary WordPress options. Additionally, due to the flawed CSRF checks, an attacker could potentially trick a higher-privileged user into performing the action via a cross-site request [1].

Impact

Successful exploitation allows an attacker to delete arbitrary options from the WordPress options table (wp_options). This can lead to site misconfiguration, disable essential features, and potentially facilitate privilege escalation or denial of service. Deleting critical options could break site functionality or allow further compromise [1].

Mitigation

Update the plugin to version 2.5.7 or later, which fixes the authorization and CSRF issues. As of the publication date (2022-08-22), no other workarounds are publicly available [1]. The fix is included in version 2.5.7 released on 2022-07-26.