Mashshare <= 2.3.0 - Information Disclosure

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The Mashshare plugin exposes a few AJAX commands via its own custom hook, which can be found in the file ‘includes/admin/admin-actions.php’, and the function ‘mashsb_process_actions’. This function is called upon the ‘admin_init’ action being fired, which can be triggered by anyone when visiting the admin AJAX handler. Coupled with the fact that there is no checking of user privilege on this function means that anonymous users are able to trigger certain functions intended for Administrative use only.
Proof of Concept
Visiting the following URL on the target will disclose the content that is usually displayed in the ‘System Info’ tab, under the Administration panel, which includes PHP version, Plugins installed, and various other System information.

http://localhost/wp-admin/admin-ajax.php?action=-&mashsb-action=tools_tab_system_info

Affects

Plugin mashsharer
fixed in version 2.3.1

References

URL https://research.g0blin.co.uk/g0blin-00045/
URL https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_mashshare_info_disclosure.rb

Classification

Type BYPASS

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 148
Verified No
WPVDB ID 7936

Timeline

Publicly Published 2015-04-17 (over 1 year ago)
Added 2015-04-25 (over 1 year ago)
Last Updated 2015-09-20 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.