wpCentral < 1.4.8 – Privilege Escalation

Description

There’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege, or alter/upload any file, or adjust any plugin and interact with the site in many other ways.

Proof of Concept

In wpcentral.php, AJAX actions are registered. However, it's only checking whether or not the user is logged in and not if the user is an administrator. Both my_wpc_actions_init and my_wpc_signon AJAX actions require a valid authentication key to be present in the request, however, we can retrieve this authentication key by calling the wpc_fetch_authkey function which for obvious reasons does not require the authentication key to be present in the request.

Once we have the authentication key, we can call pretty much any function or action present in the wpCentral plugin. The AJAX action my_wpc_signon would sign us in as an administrator (userid 1 in the database).

The action my_wpc_actions along with the fileactions parameter would allow us to upload files to the server or execute any other function that is part of the wpCentral plugin.