Vulnerability   
Search   
    Search 187964 CVE descriptions
and 85075 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.112815
Category:Web application abuses
Title:WordPress Advanced Access Manager Plugin < 6.6.2 Multiple Vulnerabilities
Summary:The WordPress plugin Advanced Access Manager is prone to multiple vulnerabilities.
Description:Summary:
The WordPress plugin Advanced Access Manager is prone to multiple vulnerabilities.

Vulnerability Insight:
If the 'Multiple Roles Support' setting is enabled, the plugin is vulnerable to authenticated
authorization bypass and, in some cases, privilege escalation.

Low-privileged users could assign themselves or switch to any role with an equal or lesser user level,
or any role that did not have an assigned user level. This could be done by sending a POST request to wp-admin/profile.php
with typical profile update parameters and appending a aam_user_roles[] parameter set to the role they would like to use.

The reason this worked is that the AAM_Backend_Manager::profileUpdate method that actually assigns these roles is triggered
by the profile_update and user_register actions, and failed to use a standard capability check.


The plugin's aam/v1/authenticate and aam/v2/authenticate REST endpoints were set to respond to a successful login with a
json-encoded copy of all metadata about the user, potentially exposing users' information to an attacker or low-privileged user.
This included items like the user's hashed password and their capabilities and roles, as well as any custom metadata
that might have been added by other plugins. This might include sensitive configuration information,
which an attacker could potentially use as part of an exploit chain.

Vulnerability Impact:
Low-privileged attackers could potentially switch to a role that allowed them to either
directly take over a site or could be used as part of an exploit chain, depending on which roles were configured.

Furthermore attackers that are able to assign themselves a custom role using the vulnerability could view which capabilities
were assigned to them, allowing them to plan the next phase of their attack.

Affected Software/OS:
WordPress Advanced Access Manager plugin before version 6.6.2.

Solution:
Update to version 6.6.2 or later.

CVSS Score:
7.1

CVSS Vector:
AV:N/AC:H/Au:S/C:C/I:C/A:C

CopyrightCopyright (C) 2020 Greenbone Networks GmbH

This is only one of 85075 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2020 E-Soft Inc. All rights reserved.