Vulnerability & Exploit Database

Back to search

WordPress WP EasyCart Plugin Privilege Escalation

The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated users of any user level to set any system option via a lack of validation in the ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

auxiliary/admin/http/wp_easycart_privilege_escalation

Authors

  • Rob Carr <rob [at] rastating.com>

References

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/http/wp_easycart_privilege_escalation msf auxiliary(wp_easycart_privilege_escalation) > show actions ...actions... msf auxiliary(wp_easycart_privilege_escalation) > set ACTION <action-name> msf auxiliary(wp_easycart_privilege_escalation) > show options ...show and set options... msf auxiliary(wp_easycart_privilege_escalation) > run