wpCentral < 1.4.8 - Privilege Escalation



Description
There’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege, or alter/upload any file, or adjust any plugin and interact with the site in many other ways.
Proof of Concept
In wpcentral.php, AJAX actions are registered. However, it’s only checking whether or not the user is logged in and not if the user is an administrator. Both my_wpc_actions_init and my_wpc_signon AJAX actions require a valid authentication key to be present in the request, however, we can retrieve this authentication key by calling the wpc_fetch_authkey function which for obvious reasons does not require the authentication key to be present in the request.

Once we have the authentication key, we can call pretty much any function or action present in the wpCentral plugin. The AJAX action my_wpc_signon would sign us in as an administrator (userid 1 in the database).

The action my_wpc_actions along with the fileactions parameter would allow us to upload files to the server or execute any other function that is part of the wpCentral plugin.

Affects Plugin

fixed in version 1.4.8

References

URL https://www.webarxsecurity.com/wpcentral-plugin-leads-to-multiple-vulnerabilities/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher WebARX
Submitter Dave
Submitter Website https://www.webarxsecurity.com
Submitter Twitter webarx_security
Views 3562
Verified No
WPVDB ID 10045

Timeline

Publicly Published 2020-01-24 (28 days ago)
Added 2020-01-24 (27 days ago)
Last Updated 2020-01-25 (26 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin