WordPress Plugin Vulnerabilities

Revive Old Post < 6.9.4 - Privilege Escalation

Description

Leveraging a publicly accessible AJAX function named ‘update_response’, it is possible to update any option with the WordPress installation. Using this vulnerability, it is possible to gain administrative access to the WordPress installation by updating the options ‘default_role’ and ‘users_can_register’, and then creating a new account. This new account will be created with administrative privileges, so long as these two options are updated to the values, as shown in the PoC below.

Affects Plugins

Plugin icon
tweet-old-post
Fixed in 6.9.4

References

URL
https://g0blin.co.uk/g0blin-00024/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Submitter
James Hooker
Submitter website
https://research.g0blin.co.uk
Submitter twitter
g0blinResearch
Verified
No
WPVDB ID
4503da98-9786-4dd1-9cc3-0c054d89927d

Timeline

Publicly Published
2015-02-02 (about 11 years ago)
Added
2015-02-02 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2024-12-11
Title
Sign In With Google <= 1.8.0 - Authentication Bypass in authenticate_user
Published
2014-08-01
Title
Groups 1.4.5 - Negated Role Capability H&ling Elevated Privilege Issue
Published
2024-11-14
Title
Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass
Published
2024-09-03
Title
PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 9.7.1 and PixelYourSite PRO <= 10.4.2 - Unauthenticated Information Exposure and Log Deletion
Published
2014-08-01
Title
Profile Builder < 1.1.60 - Password Recovery Bypass