WordPress Buddypress 1.9.1 Privilege Escalation

2014-02-14T00:00:00
ID PACKETSTORM:125213
Type packetstorm
Reporter Pietro Oliva
Modified 2014-02-14T00:00:00

Description

                                        
                                            `# Vulnerability: Wordpress plugin Buddypress <= 1.9.1 privilege escalation  
# Date: 13/02/2014  
# Author: Pietro Oliva  
# Vendor Homepage: http://buddypress.org  
# Software Link: http://downloads.wordpress.org/plugin/buddypress.1.9.1.zip  
# Version: 1.9.1  
# CVE : [CVE-2014-1889]  
# Responsibly disclosed and patched in version 1.9.2  
  
it's possible to perform a privilege escalation attack due to a lack  
of permissions check in the group creation process. A malicious user  
could exploit this vulnerability to take control of every group  
(change name, description, avatar and settings).  
To exploit this vulnerability you have to follow these steps:  
  
1) Create a cookie named bp_new_group_id=<id_of_victim_group>  
2) Visit the url http://example.com/groups/create/step/group-details/  
3) Enjoy the power  
  
  
  
  
-Pietro Oliva-  
`