cbcvebase.
CVE-2014-9013
published 2019-11-06

CVE-2014-9013: The ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin 2.4.0 for WordPress allows remote authenticated users to create arbitrary…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
47.87%
98.7th percentile
The ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin 2.4.0 for WordPress allows remote authenticated users to create arbitrary users and gain admin privileges via a request to wpmp_pp_ajax_call with an execution target of wp_insert_user.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpmarketplace_projectwpmarketplace

Detection & IOCsextracted from sources · hover to see the quote

pathwpmarketplace/libs/cart.php
url?checkout_register=register
url?wpmpfile=123456
commandaction=wpmp_pp_ajax_call&execute=wpmp_save_settings&_wpmp_settings[user_role][]=subscriber
commandaction=wpmp_pp_ajax_call&execute=wpmp_front_add_product
  • Detect POST requests containing 'action=wpmp_pp_ajax_call' combined with 'execute=wp_insert_user' and 'role=administrator', which indicates an attempt to create a rogue WordPress admin account via the WP Marketplace plugin vulnerability.
  • Alert on any POST request to a WordPress site with 'action=wpmp_pp_ajax_call' in the body — this is the trigger for the arbitrary function call vulnerability in wpmarketplace/libs/cart.php.
  • Monitor for POST requests with 'execute=wpmp_save_settings' and '_wpmp_settings[user_role][]=subscriber', indicating privilege escalation to grant subscriber-level users plugin admin access.
  • Detect requests to '?wpmpfile=' query parameter, which is used to trigger arbitrary file download after exploitation of the WP Marketplace plugin.
  • Google dork 'index of "wpmarketplace"' is used by attackers to identify vulnerable targets; monitor for this search pattern in threat intelligence feeds.
  • ·The vulnerability affects WP Marketplace plugin version 2.4.0 only; version 2.4.1 contains the fix. Ensure detections are scoped to environments running the vulnerable version.
  • ·The exploit for admin creation (CVE-2014-9013) does not require prior authentication — any unauthenticated or authenticated user can trigger the wpmp_pp_ajax_call action from any post or page.
  • ·The arbitrary file download exploit (CVE-2014-9014, also referenced in exploit 36466) requires a registered/authenticated user account as a prerequisite before escalating privileges via wpmp_save_settings.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.