WordPress WPLMS Theme Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the WPLMS theme for WordPress, specifically in versions 1.5.2 prior to 1.8.4.1. The vulnerability arises from the 'wp_ajax_import_data' AJAX action, which lacks proper validation. This flaw allows authenticated users to modify restricted settings and potentially create a new admin account.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in WordPress settings, including the creation of a new admin account, allowing for full control over the WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to 'wp-admin/admin-ajax.php' with the 'action' parameter set to 'import_data'. The 'name' parameter should specify the option to be changed, such as 'admin_email' or 'default_role', and the 'code' parameter must contain the new value, serialized and encoded in base64. Once the option is updated, the user can register a new account with admin privileges via the WordPress registration page.

Remediation

Users are advised to update the WPLMS theme to version 1.9 or a newer patched version.