漏洞平台

POC详情： c2c329b760609841b02b0033ba39d6d80012a9e2

来源

https://github.com/ubaydev/CVE-2024-10508

关联漏洞

标题： WordPress plugin RegistrationMagic 安全漏洞 (CVE-2024-10508)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin RegistrationMagic 6.0.2.6版本及之前版本存在安全漏洞。攻击者利用该漏洞可以提升权限。

介绍

### Unauthenticated Privilege Escalation via Password Recovery on RegistrationMagic <= 6.0.2.6

**Disclaimer**: This information is provided for educational purposes only. This document aims to raise awareness of security vulnerabilities and should not be used for any unauthorized or malicious activities. Engaging in actions that exploit these vulnerabilities without permission is illegal and unethical.

The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.

After researching from several sources related to this CVE, I realized that the attack on this CVE is quite easy and does not require additional applications such as Burpsuite or Postman, this CVE only requires an email from an account that has an administrator level and resets it via the /password-recovery page or another custom password reset page.

## Dependencies
- Password reset page that has been set by admin (by default not)
![Screenshot 2](Screenshot_2.png)  
- Knowing email accounts that have administrator level

## PoC
 1. Go to the login page of the target that has this plugin (RegistrationMagic)
  ![Screenshot 2](Screenshot_1.png)  
 2. Click “Lost your password”, if the page leads to the password reset page, the password reset page has been set by the admin. if not, it means not.
  ![Screenshot 2](Screenshot_3.png)
 3. fill in an email that has an administrator level, and send it
  ![Screenshot 2](Screenshot_6.png)
 4. After that add ?reset_token= at the end of the url, and reset the password.
  ![Screenshot 2](Screenshot_5.png)
  ![Screenshot 2](Screenshot_7.png)
 5. After resetting your password, you can now log in using the password you sent earlier.
  ![Screenshot 2](Screenshot_8.png)
  ![Screenshot 2](Screenshot_9.png)

文件快照


 [4.0K]  /data/pocs/c2c329b760609841b02b0033ba39d6d80012a9e2
├── [2.1K]  README.md
├── [ 25K]  Screenshot_1.png
├── [ 23K]  Screenshot_2.png
├── [ 20K]  Screenshot_3.png
├── [ 12K]  Screenshot_4.png
├── [ 30K]  Screenshot_5.png
├── [ 13K]  Screenshot_6.png
├── [ 13K]  Screenshot_7.png
├── [ 15K]  Screenshot_8.png
└── [ 80K]  Screenshot_9.png

0 directories, 10 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。