Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation

2021.03.23
ru m0ze (RU) ru
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-284

/*! - # VULNERABILITY: Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation - # GOOGLE DORK: inurl:/wp-content/plugins/controlled-admin-access/ - # DATE: 2021-03-18 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: WPRuby [ https://wpruby.com ] - # SOFTWARE VERSION: <= 1.4.0 - # SOFTWARE LINK: https://wordpress.org/plugins/controlled-admin-access/ - # CVSS: AV:N/AC:L/PR:L/UI:N/S:U - # CWE: CWE-284 - # CVE: CVE-2021-24215 */ ### -- [ Info: ] [i] An Improper Access Control vulnerability was discovered in the Controlled Admin Access plugin through 1.4.0 for WordPress. [i] Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. [i] Even with the maximum restrictions for a temporary administrator account, several attack vectors are possible against the targeted website, the simplest and fastest is raising system privileges to the administrator level (w/o restrictions) and taking full control of the attacked website. ### -- [ Impact: ] [~] Full compromise of the vulnerable web application and also web server. ### -- [ PoC #1 | Improper Access Control | Customize: ] [!] https://example.com/wp-admin/customize.php ### -- [ PoC #2 | Improper Access Control | All Settings: ] [!] https://example.com/wp-admin/options.php ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze

References:

https://m0ze.ru/vulnerability/[2021-03-18]-[WordPress]-[CWE-284]-Controlled-Admin-Access-WordPress-Plugin-v1.4.0.txt
https://twitter.com/vladm0ze


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top