resulting in arbitrary code execution.
This was fixed in version 0.0.3 by changing the update code to be a POST request, resulting in authorization checks.
WordPress version 4.9 and earlier have a setting called custom_wpadmin_slug that allows administrators to change the name of the “WP admin login” page. In versions 4.9 and earlier, custom_wpadmin_slug is not protected, and can be changed by an attacker without being detected. This can be leveraged by attackers to force themself (an unauthenticated user) into the “WP admin login” page and update the setting, which then allows them to update any other setting on the site. This can be exploited by hackers to change any other setting on the site that they want, such as adding or removing users/permissions, resulting in a potential high risk to the website.
If you are running WordPress version 4.9 or earlier and have this setting changed, you should update to a newer version of WordPress as soon as possible and change the setting back to its original value. WordPress version 4.9 and earlier have a setting called custom_wpadmin_slug that allows administrators to change the name of the “WP admin login” page. In versions 4.9 and earlier, custom_wpadmin_slug is not protected, and can be changed by an attacker without being detected. This can be leveraged
CVE-2022-3488
This was fixed in version 0.0.3 by changing the update code to be a POST request, resulting in authorization checks.
WordPress version 4.9 and earlier have a setting called custom_wpadmin_slug that allows administrators to change the name of the “WP admin login” page. In versions 4.9 and earlier, custom_wpadmin_slug is not protected, and can be changed by an attacker without being detected. This can be leveraged by attackers to force themself (an unauthenticated user) into the “WP admin login” page and update the setting, which then allows them to update any other setting on the site. This can be exploited by hackers to change any other setting on the site that they want, such as adding or removing users/permissions, resulting in a potential high risk to the website.
If you are running WordPress version 4.9 or earlier and have this setting changed, you should update to a newer version of WordPress as soon as possible and change the setting back to its original value.
What is WordPress Plugins?
WordPress is a free and open-source content management system (CMS) written in PHP and MySQL, used to create websites.
Some of the most popular plugins in WordPress are those that allow users to manage their site’s content such as WordPress SEO by Yoast, or W3 Total Cache.
A plugin will often contain code that hooks into the core functionality of WordPress to add new features or change existing functionality. This can be done through a plugin’s functions.php file or within an existing theme’s functions.php file (so long as the theme does not specifically block unwanted function calls).
How to check if WordPress is vulnerable to arbitrary code execution?
To check if your WordPress site is vulnerable, you can visit the following URL:
http://example.com/wp-admin/update.php?action=update-core&package=avada-custom&slug=update-core
In this case, “example.com” would be replaced with the name of your website or blog. You will see that there are two values being checked; “package” and “slug”. Package is a specific version of WordPress (like avada-custom) while slug is the name of the page that you want to change. If an attacker were to change the value of package to avada, they could update any other setting on the page by changing slug to admin/settings/general (for example).
Timeline
Published on: 11/07/2022 10:15:00 UTC
Last modified on: 11/10/2022 06:18:00 UTC