On July 1st,2023, there was news that a “Vulnerability in WordPress plugin with 200,000+ active installations allows full site takeover with only “trivial” effort”.A CVE was also assigned to the vulnerability as CVE-2023–3460, with a CVSS v3.1 score of 9.8 (“critical”),
As there was no publicly available exploit to use then and there, I thought to delve into the plugin installed in a personal WP setup and explore what could be done to exploit it.
After some hours of website and understanding the process used by this plugin I got the route to the exploitation.
If you have ever installed WordPress and watched its DB closely then you may have observed the things highlighted below. if not, no worries here is a brief explanation about the same(from Stack Overflow)
Changing a wordpress user to an admin
I am trying to set up a local copy of a production Wordpress blog. On production, I am a user but not an admin, so I am…
Time to kill
Now once I got the exploitation route it was just about using it in my exploit request and which let me achieve the admin-level privileges in the WP setup.
As a responsible disclosure, I have tried to hide max possible things in the video POC given here(So bear with me, those who want to have ready cake). However, enough hint is given to make your path easier to exploit.