miniOrange OTP Login, Verification and SMS Notifications <= 5.4.9 - Unauthenticated Privilege Escalation

This is an unauthenticated action. Is there any other frontend script? autoload.phpdefinesVALIDATION_JS_URL. MoOtpSpamIntegrationenqueuesmosp_enqueue_frontend_scripts`.

Let's assume the PoC agent will:

1. Create a page with a miniOrange shortcode (e.g., [mo_verify_otp]) to ensure all scripts are loaded.
2. Visit the page and extract the nonce.
3. Send the malicious POST request.

Payload to elevate privileges:

• option=mo_customer_validation_settings
• _wpnonce=[nonce]
• users_can_register=1
• default_role=administrator
  If the plugin only allows saving its own options:
• mo_customer_validation_wp_default_role=administrator (guessed name)
  Actually, if the plugin is vulnerable to unauthenticated option updates, it's usually because it doesn't filter the keys in update_option.

Let's verify the JS variable name for the nonce.
In class-moactionhandlerhandler.php:
$this->nonce = 'mo_admin_actions';
In controllers/titlebar.php:
$nonce = $admin_handler->get_nonce_value();
The titlebar is admin-only.

However, many miniOrange plugins have a "Contact Us" or "Support" form