External Database Based Actions <= 0.1 - Authenticated (Subscriber+) Authentication Bypass

Vulnerability

The External Database Based Actions plugin for WordPress, versions up to and including 0.1, contains an authentication bypass vulnerability in the edba_admin_handle function within lib/edba-admin-ajax-controller.php [1]. This function handles AJAX actions such as save_query, save_action, and check_db without performing any capability or nonce checks. As a result, any authenticated user, regardless of their role (e.g., subscriber), can invoke these actions and modify plugin settings.

Exploitation

An attacker needs only a valid WordPress account with subscriber-level permissions or higher. By sending a crafted POST request to the WordPress AJAX endpoint with the action edba_admin_handle and appropriate parameters, the attacker can update the plugin's settings to specify a target user (e.g., an administrator) via the user_login parameter in the save_action case [1]. Subsequently, the attacker can leverage the plugin's login functionality (implied by the description) to authenticate as that user, effectively bypassing the normal login process.

Impact

Successful exploitation allows the attacker to log in as any existing user on the site, including administrators. This results in complete compromise of the WordPress site, granting the attacker full control over content, user accounts, and server-level access if the administrator has elevated privileges. The impact spans confidentiality, integrity, and availability.

Mitigation

The plugin has been closed and removed from the WordPress.org plugin directory as of November 14, 2024, due to this security issue [2]. No patched version has been released. Users who have the plugin installed should uninstall it immediately. There is no known workaround; the only safe course is to remove the plugin entirely.