CVE-2014-9013
published 2019-11-06CVE-2014-9013: The ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin 2.4.0 for WordPress allows remote authenticated users to create arbitrary…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
47.87%
98.7th percentile
The ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin 2.4.0 for WordPress allows remote authenticated users to create arbitrary users and gain admin privileges via a request to wpmp_pp_ajax_call with an execution target of wp_insert_user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpmarketplace_project | wpmarketplace | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests containing 'action=wpmp_pp_ajax_call' combined with 'execute=wp_insert_user' and 'role=administrator', which indicates an attempt to create a rogue WordPress admin account via the WP Marketplace plugin vulnerability. ↗
- →Alert on any POST request to a WordPress site with 'action=wpmp_pp_ajax_call' in the body — this is the trigger for the arbitrary function call vulnerability in wpmarketplace/libs/cart.php. ↗
- →Monitor for POST requests with 'execute=wpmp_save_settings' and '_wpmp_settings[user_role][]=subscriber', indicating privilege escalation to grant subscriber-level users plugin admin access. ↗
- →Detect requests to '?wpmpfile=' query parameter, which is used to trigger arbitrary file download after exploitation of the WP Marketplace plugin. ↗
- →Google dork 'index of "wpmarketplace"' is used by attackers to identify vulnerable targets; monitor for this search pattern in threat intelligence feeds. ↗
- ·The vulnerability affects WP Marketplace plugin version 2.4.0 only; version 2.4.1 contains the fix. Ensure detections are scoped to environments running the vulnerable version. ↗
- ·The exploit for admin creation (CVE-2014-9013) does not require prior authentication — any unauthenticated or authenticated user can trigger the wpmp_pp_ajax_call action from any post or page. ↗
- ·The arbitrary file download exploit (CVE-2014-9014, also referenced in exploit 36466) requires a registered/authenticated user account as a prerequisite before escalating privileges via wpmp_save_settings. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)
exploitdb·2015-03-25
CVE-2014-9014 WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)
WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)
---
#!/usr/bin/python
#
# Exploit Name: WP Marketplace 2.4.0 Remote Command Execution
#
# Vulnerability discovered by Kacper Szurek (http://security.szurek.pl)
#
# Exploit written by Claudio Viviani
#
#
#
# --------------------------------------------------------------------
#
# The vulnerable function is located on "wpmarketplace/libs/cart.php" file:
#
# function ajaxinit(){
# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
# if(function_exists($_POST['execute']))
# call_user_func($_POST['execute'],$_POST);
# else
# echo __("function not defined!","wpmarketplace");
# die();
# }
#}
#
# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook).
# wpmp_pp_ajax_call() call functions
Exploit-DB
WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download
exploitdb·2015-03-22·CVSS 8.8
CVE-2014-9014 [HIGH] WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download
WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download
---
# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
# Date: 26-10-2014
# Software Link: https://wordpress.org/plugins/wpmarketplace/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9013 and CVE-2014-9014
1. Description
Anyone can run user defined function because of call_user_func.
File: wpmarketplace\libs\cart.php
function ajaxinit(){
if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
if(function_exists($_POST['execute']))
call_user_func($_POST['execute'],$_POST);
else
echo __("function not defined!","wpmarketplace");
die();
}
}
http://security.szurek.pl/wp-marketplace-240-arbitrary-file-do
No writeups or analysis indexed.
2019-11-06
Published