#VU26224 Improper access control in Responsive Add Ons
Published: March 19, 2020
Vulnerability identifier: #VU26224
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P/U:Amber
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Responsive Add Ons
Responsive Add Ons
Software vendor:
CyberChimps inc.
CyberChimps inc.
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in various AJAX actions (23). A remote authenticated attacker can bypass implemented security restrictions and reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files and activate plugins, among many other actions.
Note: Majority of the vulnerable AJAX action were found in the "/class-responsive-ready-sites-importer.php" file.
Remediation
Install updates from vendor's website.