Redux Framework is a code structure script that allows you to easily create good looking option pages and adding its own features.
Versions before 18.104.22.168 are victims of a privilege escalation flaw, the scénario for the exploit is not mainstream, here comes the requirement:
- Using a theme with Redux Framework,
- Using a plugin with Redux Framework,
- Having a user with a role that doesn’t have the
manage_optionscapability, but still the
The vulnerable code is in
redux_ajax_nonce is the same for a theme and a plugin, the token will be the same.
The user that can modify the theme option can not, logically, modify a plugin’s options.
But since the security token (nonce) is the same for each framework instance, even a user without the
manage_options capability can send a request containing the new plugin’s settings, because he knows its security token.
The version 22.214.171.124 fix this token by adding the name of the option to save (it can not be identical for a theme and a plugin).