Mashshare <= 2.3.0 - Information Disclosure



Description
The Mashshare plugin exposes a few AJAX commands via its own custom hook, which can be found in the file ‘includes/admin/admin-actions.php’, and the function ‘mashsb_process_actions’. This function is called upon the ‘admin_init’ action being fired, which can be triggered by anyone when visiting the admin AJAX handler. Coupled with the fact that there is no checking of user privilege on this function means that anonymous users are able to trigger certain functions intended for Administrative use only.
Proof of Concept
Visiting the following URL on the target will disclose the content that is usually displayed in the ‘System Info’ tab, under the Administration panel, which includes PHP version, Plugins installed, and various other System information.

http://localhost/wp-admin/admin-ajax.php?action=-&mashsb-action=tools_tab_system_info

Affects Plugin

fixed in version 2.3.1

References

URL https://research.g0blin.co.uk/g0blin-00045/
URL https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_mashshare_info_disclosure.rb

Classification

Type BYPASS

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 5260
Verified No
WPVDB ID 7936

Timeline

Publicly Published 2015-04-17 (over 4 years ago)
Added 2015-04-25 (over 4 years ago)
Last Updated 2019-10-22 (27 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin