Can you explain this vulnerability to me?

The Construction Light WordPress theme before version 1.6.8 has a vulnerability where it lacks proper authorization and CSRF protection when activating features via an AJAX action. This means that any authenticated user, including low-privilege users like subscribers, can activate arbitrary features or actions that they should not be able to.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow authenticated users with low privileges to perform unauthorized actions by activating arbitrary features via AJAX. This could lead to unauthorized changes on the website, potentially compromising the site's integrity or functionality.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for POST requests to the endpoint `/wp-admin/admin-ajax.php` with the parameter `action=constructionlight_activate_plugin`. Specifically, look for requests that include plugin identifiers such as `slug` and `file` parameters. A sample command to detect such attempts using curl could be: `curl -X POST -d "action=constructionlight_activate_plugin&slug=wp-record&file=wp-record" https://yourwordpresssite.com/wp-admin/admin-ajax.php`. Additionally, network monitoring tools or web application firewalls can be configured to alert on such POST requests targeting this AJAX action. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Construction Light WordPress theme to version 1.6.8 or later, where this vulnerability has been fixed. Until the update can be applied, restrict authenticated user roles from accessing or executing AJAX actions related to plugin activation, or implement additional authorization checks at the server level to prevent unauthorized plugin activation via the vulnerable AJAX endpoint. [1]

Useful 0 Not Useful 0