wpCentral < 1.4.8 - Privilege Escalation

There’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege, or alter/upload any file, or adjust any plugin and interact with the site in many other ways.
Proof of Concept
In wpcentral.php, AJAX actions are registered. However, it’s only checking whether or not the user is logged in and not if the user is an administrator. Both my_wpc_actions_init and my_wpc_signon AJAX actions require a valid authentication key to be present in the request, however, we can retrieve this authentication key by calling the wpc_fetch_authkey function which for obvious reasons does not require the authentication key to be present in the request.

Once we have the authentication key, we can call pretty much any function or action present in the wpCentral plugin. The AJAX action my_wpc_signon would sign us in as an administrator (userid 1 in the database).

The action my_wpc_actions along with the fileactions parameter would allow us to upload files to the server or execute any other function that is part of the wpCentral plugin.

Affects Plugin

fixed in version 1.4.8


URL https://www.webarxsecurity.com/wpcentral-plugin-leads-to-multiple-vulnerabilities/


OWASP Top 10 A2: Broken Authentication and Session Management


Original Researcher WebARX
Submitter Dave
Submitter Website https://www.webarxsecurity.com
Submitter Twitter webarx_security
Views 3875
Verified No
WPVDB ID 10045


Publicly Published 2020-01-24 (4 months ago)
Added 2020-01-24 (4 months ago)
Last Updated 2020-01-25 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin