WordPress Plugin Vulnerabilities
wpCentral < 1.4.8 - Privilege Escalation
Description
There’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege, or alter/upload any file, or adjust any plugin and interact with the site in many other ways.
Proof of Concept
In wpcentral.php, AJAX actions are registered. However, it's only checking whether or not the user is logged in and not if the user is an administrator. Both my_wpc_actions_init and my_wpc_signon AJAX actions require a valid authentication key to be present in the request, however, we can retrieve this authentication key by calling the wpc_fetch_authkey function which for obvious reasons does not require the authentication key to be present in the request. Once we have the authentication key, we can call pretty much any function or action present in the wpCentral plugin. The AJAX action my_wpc_signon would sign us in as an administrator (userid 1 in the database). The action my_wpc_actions along with the fileactions parameter would allow us to upload files to the server or execute any other function that is part of the wpCentral plugin.
Affects Plugins
Fixed in version 1.4.8
References
Classification
Miscellaneous
Original Researcher
WebARX
Submitter
Dave
Submitter website
Submitter twitter
Verified
No
Timeline
Publicly Published
2020-01-24 (about 3 years ago)
Added
2020-01-24 (about 3 years ago)
Last Updated
2021-01-19 (about 2 years ago)