[wp-trac] [WordPress Trac] #57465: WordPress AJAX Vulnerability
WordPress Trac
noreply at wordpress.org
Sat Jan 14 22:55:01 UTC 2023
#57465: WordPress AJAX Vulnerability
---------------------------+-----------------------------
Reporter: allalbenaissa | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.1.1
Severity: normal | Keywords:
Focuses: |
---------------------------+-----------------------------
The file defines the DOING_AJAX constant, loads the WordPress bootstrap,
and sets up headers for cross-domain requests. It then checks for a valid
'action' parameter in the request and loads the necessary WordPress
Administration APIs and Ajax handlers.
The file also defines two arrays, $core_actions_get and
$core_actions_post, which contain a list of allowed actions that can be
executed via GET and POST requests respectively. These actions include
various core WordPress functionality such as fetching lists, searching for
tags, handling image editing, and managing posts, comments, and users.
A potential vulnerability in this code could occur if an attacker is able
to pass an action parameter in the request that is not on the list of
allowed actions, allowing them to execute arbitrary code on the server.
However, it's not possible to confirm it without more context.
Here is an example of how the exploit code from the previous response
could be written in Python using the requests library:
Copy code
import requests
url = "http://example.com/wp-admin/admin-ajax.php"
data = {
"action": "eval",
"eval": "system('touch /tmp/hacked');"
}
response = requests.post(url, data=data)
print(response.text)
This code will send a POST request to the specified URL with the data
payload containing the action "eval" and the code to be executed on the
server. The response text will be printed, which could be used to check if
the code was executed successfully.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57465>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list