As we can see, the function does not include a capability check, which means that any authenticated user can access the function and list the expirable administrator users.
Let’s see how we can exploit this vulnerability
We only need to send a GET request to exploit this vulnerability.
The HTTP request:
GET /wp-admin/admin-ajax.php?action=ftlpp-ext-expirable-get-users HTTP/1.1
Host: localhost
Feather Login Page by Feather Plugins WordPress plugin Privilege Escalation
REPORT ID: 7616cd4c-f24c-4472-80d9-2c40a5c30d4b
The plugin contains a Missing Authorization vulnerability in the expirable login links list ajax function, which leads to Privilege Escalation.
Let’s check the plugin
The plugin allows administrators to create expirable login links. The created expirable users with the login links are listed in the admin page.
The
ExpirableLoginLink
class adds the following action hook:As we can see the listing is implemented with ajax.
The
getListOfUsers()
method lists the users with the following code:As we can see, the function does not include a capability check, which means that any authenticated user can access the function and list the expirable administrator users.
Let’s see how we can exploit this vulnerability
We only need to send a GET request to exploit this vulnerability.
The HTTP request:
We get a json response like this:
By opening the login link, we automatically log in to the user.
References
Let's discuss
Attributes
Classification
Researcher
Tags
exploit missing authorization privilege escalation wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).