Description
The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an authenticated user of any user level to set any system option due to a lack of validation in the import_data function of /includes/func.php.
The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/http/wp_wplms_privilege_escalationmsf undefined(wp_wplms_privilege_escalation) > show actions ...actions...msf undefined(wp_wplms_privilege_escalation) > set ACTION < action-name >msf undefined(wp_wplms_privilege_escalation) > show options ...show and set options...msf undefined(wp_wplms_privilege_escalation) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub