Prime Listing Manager WordPress Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Prime Listing Manager WordPress plugin, affecting versions through 1.1. This vulnerability allows an attacker to gain administrative access without an account on the targeted site, enabling unauthorized actions. The issue arises from a hardcoded secret that can be exploited to generate a JSON Web Token (JWT) with administrative privileges.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access, enabling an attacker to perform any actions available to an admin user on the WordPress site.

Reproduction

To reproduce this vulnerability, a Node.js script can be used to generate a JWT. The script creates a token by signing a payload that includes an admin user ID and username, using a hardcoded secret. Once the JWT is generated, it can be used to authenticate a request to the WordPress site's REST API, specifically to the 'user/change-password' endpoint. This request can include a new password, which, once accepted, allows logging in with the username and the newly set password.