From simple recon to PWN wordpress admin panel writeup
Hello Guy’s, I’m rood bug bounty hunter and this first English writeup for me
In this writeup I will write about one of Interesting findings I discovered recently that’s allowed me to register new account with admin privilege’s in WordPress panel
So firstly when I do some recon if I finish simple recon like sd enum & google dorking I prefer to find subsidiaries and my favorite method to find this assets is copyright recon
For example: I’m go to google and search like this: “© 2024 Uber Technologies Inc.”
and do some filtration like -uber.com or search for old copyrights like “© 2023 Uber Technologies Inc.” , or © 2022 Uber Technologies Inc. etc…
So I found old website with old version of WordPress and it’s allowed registration
So I register account to start test and first thing I try to test it is edit profile
So there’s something Interesting in parameters before any value there’s 2 words (_UM_) so I copy one of this parameters and do some googling, I found this result
Now I understand they use ultimatemember WordPress plugin
What’s ultimatemember?
Ultimate Member is a free user profile plugin that makes it easy to create powerful online communities and membership sites with WordPress.
So first thing I search about it, is CVE for this plugin
I found CVE-2023–3460 for this plugin and yeah I’m sure it’s vulnerable because the WP version is old and there’s clear steps to exploit this CVE
The exploit is so easy, when you register add this parameter in POST request for registration (wp_càpabilities[administrator]=1)
So I register another new account and add this parameter
And yeah after forwared request it’s redirect me to admin panel directly
So that’s it I know the exploit is very easy but the game is how you can search about everything and analyze it to achive the hard things, I wish everything was so clear and i’m sorry for my weak language please don’t forget to support me with like and clapping
Thanks for reading, love u all ❤
