diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md index 0001805b3..549507bfc 100644 --- a/src/network-services-pentesting/pentesting-web/wordpress.md +++ b/src/network-services-pentesting/pentesting-web/wordpress.md @@ -659,28 +659,6 @@ User-Agent: PoC Connection: close ``` -Expected success indicators - -- Redirect to a plugin page (e.g., `/wp-admin/admin.php?page=candidates`). -- New WordPress auth cookies issued; browser session becomes that user (ID 1 is commonly the first admin). - -Detection checklist - -- Access logs showing `?switch_back` (or `?switch_user=`) in unauthenticated requests immediately followed by WordPress auth cookie issuance and a redirect to admin pages. -- Inbound requests carrying `Cookie: original_user_id=*` on public endpoints. -- Error pages triggered by `wp_die('Original user not found')` / `wp_die('No original user found…')` indicating probing. - -Hardening - -- Do not place login/state-changing flows on public `init`. Use `admin_post_*`/`wp_ajax_*` handlers and enforce `is_user_logged_in()` plus strong capability checks (e.g., `current_user_can('administrator')`). -- Never derive identity from client cookies. Store the “original user” server-side (user meta) or use a signed, expiring token bound to the actor and verify it. -- Make state-changing actions POST-only and require CSRF nonces (`check_admin_referer()` / `wp_verify_nonce()`). -- Remove any `wp_ajax_nopriv_` exposure for these flows. - -Impact - -- Unauthenticated privilege escalation to any account, including administrator, leading to full site takeover. - --- ### WAF considerations for WordPress/plugin CVEs @@ -800,4 +778,4 @@ The server responds with the contents of `wp-config.php`, leaking DB credentials - [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/) - [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}