WordPress Platform Theme Privilege Escalation Vulnerability

A vulnerability in the WordPress Platform theme, all versions prior to 1.4.4, allows for unauthorized data modification that can lead to privilege escalation. This issue arises from a missing capability check in the '_ajax_save_options()' function, enabling unauthenticated attackers to update arbitrary options on the WordPress site. Exploitation of this vulnerability could involve changing the default role for new users to administrator, thereby granting administrative access to the attacker.

Impact

Exploitation of this vulnerability could result in a complete takeover of the affected WordPress site, allowing an attacker to execute PHP code, potentially leading to the injection of malware or SEO spam. In the case of the Pagelines theme, the privilege escalation vulnerability could be exploited by an attacker who registers an account on the site.

Reproduction

To reproduce this vulnerability, upload a PHP payload through the 'settings_upload' option via the 'wp-admin/admin-post.php' endpoint. The Platform theme will execute the uploaded file, leading to remote code execution.

Remediation

Users should update to version 1.4.4 or later. For those unable to update, a simple plugin is available that can patch the vulnerability.