Headline
CVE-2023-2833: Diff [2912114:2916148] for reviewx – WordPress Plugin Repository
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the ‘rx_set_screen_options’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_screen_options[option]' and 'wp_screen_options[value]' parameters during a screen option update.
reviewx/trunk/README.txt
r2912114
r2916148
7
7
WC requires at least: 3.1
8
8
WC tested up to: 6.7.0
9
Stable tag: 1.6.13
9
Stable tag: 1.6.14
10
10
License: GPLv3 or later
11
11
License URI: http://www.gnu.org/licenses/gpl-3.0.html
…
…
253
253
254
254
== Changelog ==
255
= 1.6.14 - 22-05-2023 =
256
257
- Security improve
258
255
259
= 1.6.13 - 13-05-2023 =
256
260
reviewx/trunk/includes/rx-functions.php
r2912114
r2916148
973
973
if ( isset( $\_POST\['wp\_screen\_options'\] ) && is\_array( $\_POST\['wp\_screen\_options'\] ) ) {
974
974
check\_admin\_referer( 'screen-options-nonce', 'screenoptionnonce' );
975
976
$user = wp\_get\_current\_user();
977
if ( ! $user ) {
978
return;
975
976
if ( ! $user = wp\_get\_current\_user() ) {
977
return;
979
978
}
980
981
979
$option = $\_POST\['wp\_screen\_options'\]\['option'\];
982
$value = $\_POST\['wp\_screen\_options'\]\['value'\];
983
984
if ( sanitize\_key( $option ) != $option ) {
985
return;
980
$value = (int)$\_POST\['wp\_screen\_options'\]\['value'\];
981
982
if ( $option != sanitize\_key( $option ) ) {
983
return;
986
984
}
987
985
986
$map\_option = $option;
987
$type = str\_replace( 'edit\_', '', $map\_option );
988
$type = str\_replace( '\_per\_page', '', $type );
989
if ( in\_array( $type, get\_taxonomies() ) ) {
990
$map\_option = 'edit\_tags\_per\_page';
991
} elseif ( in\_array( $type, get\_post\_types() ) ) {
992
$map\_option = 'edit\_per\_page';
993
} else {
994
$option = str\_replace( '-', '\_', $option );
995
}
996
997
switch ( $map\_option ) {
998
case 'edit\_per\_page':
999
case 'users\_per\_page':
1000
case 'edit\_comments\_per\_page':
1001
case 'upload\_per\_page':
1002
case 'edit\_tags\_per\_page':
1003
case 'plugins\_per\_page':
1004
case 'export\_personal\_data\_requests\_per\_page':
1005
case 'remove\_personal\_data\_requests\_per\_page':
1006
// Network admin
1007
case 'sites\_network\_per\_page':
1008
case 'users\_network\_per\_page':
1009
case 'site\_users\_network\_per\_page':
1010
case 'plugins\_network\_per\_page':
1011
case 'themes\_network\_per\_page':
1012
case 'site\_themes\_network\_per\_page':
1013
$value = (int) $value;
1014
if ( $value < 1 || $value > 999 ) {
1015
return;
1016
}
1017
break;
1018
default:
1019
$value = apply\_filters( 'set-screen-option', false, $option, $value );
1020
if ( false === $value ) {
1021
return;
1022
}
1023
break;
1024
}
1025
988
1026
update\_user\_meta( $user->ID, $option, $value );
989
1027
}
reviewx/trunk/reviewx.php
r2912114
r2916148
4
4
* Plugin URI: https://reviewx.io/
5
5
* Description: Advanced Multi-criteria Rating & Reviews for WooCommerce. Turn your customer reviews into sales by collecting and leveraging reviews, ratings with multiple criteria.
6
* Version: 1.6.13
6
* Version: 1.6.14
7
7
* Author: WPDeveloper
8
8
* Author URI: https://wpdeveloper.net/
…
…
31
31
*/
32
32
define( 'PLUGIN_NAME’, ‘reviewx’);
33
define( 'REVIEWX_VERSION’, ‘1.6.13’ );
33
define( 'REVIEWX_VERSION’, ‘1.6.14’ );
34
34
35
35
define( 'REVIEWX_URL’, plugins_url( '/’, __FILE__ ) );
Related news
WordPress ReviewX plugin versions 1.6.13 and below suffer from a privilege escalation vulnerability.