Advisory:

WP Image Zoom allows anybody to cause denial of service

Vulnerability

Last revised:

WP Image Zoom includes an AJAX action which allows any logged in user to set any option to “1”. This means that any logged in user can cause a denial of service for all WP URLs by setting the “template” option to “1”.

Additionally, this vulnerability can be triggered via CSRF meaning that anybody who can convince a logged in user to follow a link can also cause a denial of service.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 7.5 High
Vector Network
Complexity Low
Authentication Single
Confidentiality None
Integrity Partial
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Press the submit button in the following HTML snippet:

<form action="http://localhost/wp-admin/admin-ajax.php" method="POST">
 <input type="text" name="action" value="iz_dismiss">
 <input type="text" name="option" value="template">
 <input type="submit">
</form>

This will set the template option to 1 causing fatal errors for any WordPress URL.

In a real attack the form could be set to autosubmit so no user interaction is required except for following a link.

Advisory timeline

  • 2018-03-20: Discovered
  • 2018-03-27: Reported to author via¬†https://www.silkypress.com/contact/
  • 2018-03-27: Vendor responded
  • 2018-03-29: Vendor reported issue fixed in version 1.24
  • 2018-04-10: Advisory published

Mitigation/further actions

Upgrade to version 1.24 or later.