|Category:||Web application abuses|
|Title:||WordPress Advanced Access Manager Plugin < 6.6.2 Multiple Vulnerabilities|
|Summary:||The WordPress plugin Advanced Access Manager is prone to multiple vulnerabilities.|
The WordPress plugin Advanced Access Manager is prone to multiple vulnerabilities.
If the 'Multiple Roles Support' setting is enabled, the plugin is vulnerable to authenticated
authorization bypass and, in some cases, privilege escalation.
Low-privileged users could assign themselves or switch to any role with an equal or lesser user level,
or any role that did not have an assigned user level. This could be done by sending a POST request to wp-admin/profile.php
with typical profile update parameters and appending a aam_user_roles parameter set to the role they would like to use.
The reason this worked is that the AAM_Backend_Manager::profileUpdate method that actually assigns these roles is triggered
by the profile_update and user_register actions, and failed to use a standard capability check.
The plugin's aam/v1/authenticate and aam/v2/authenticate REST endpoints were set to respond to a successful login with a
json-encoded copy of all metadata about the user, potentially exposing users' information to an attacker or low-privileged user.
This included items like the user's hashed password and their capabilities and roles, as well as any custom metadata
that might have been added by other plugins. This might include sensitive configuration information,
which an attacker could potentially use as part of an exploit chain.
Low-privileged attackers could potentially switch to a role that allowed them to either
directly take over a site or could be used as part of an exploit chain, depending on which roles were configured.
Furthermore attackers that are able to assign themselves a custom role using the vulnerability could view which capabilities
were assigned to them, allowing them to plan the next phase of their attack.
WordPress Advanced Access Manager plugin before version 6.6.2.
Update to version 6.6.2 or later.
|Copyright||Copyright (C) 2020 Greenbone Networks GmbH|
|This is only one of 85075 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.