SeventhQueen K Elements Privilege Escalation Vulnerability
Vulnerability
A privilege escalation vulnerability has been identified in the K Elements plugin, which is bundled with the KLEO WordPress theme. This vulnerability affects K Elements versions prior to 5.4.0 and allows users to escalate privileges by exploiting a flaw in the Facebook login integration. The issue arises because the plugin does not properly verify Facebook user data, enabling unauthorized access to user accounts.
Impact
Exploitation of this vulnerability allows for unauthorized account access, enabling an attacker to escalate privileges and potentially gain full control over the affected WordPress site.
Reproduction
To reproduce this vulnerability, log into a WordPress site using the K Elements plugin version prior to 5.4.0. Initiate the Facebook login process and intercept the request to include a different user's email address. The lack of proper validation will allow logging into that account, bypassing normal authentication checks.
Remediation
Users of the K Elements plugin should update to version 5.4.0 or later. Patchstack users are already protected from this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.