Improper access control in Responsive Add Ons - #VU26224
Published: March 19, 2020
Vulnerability identifier: #VU26224
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P/U:Amber
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: CyberChimps inc.
Affected software:
Responsive Add Ons
Responsive Add Ons
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in various AJAX actions (23). A remote authenticated attacker can bypass implemented security restrictions and reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files and activate plugins, among many other actions.
Note: Majority of the vulnerable AJAX action were found in the "/class-responsive-ready-sites-importer.php" file.
Remediation
Install updates from vendor's website.