Ebor Framework by tommusrhodus, which is used by WordPress themes such as Foundry,Stack, LaunchKit, Pivot etc., by the same author suffers from a pretty nasty security issue:

Exposed WP Options

Usually, what you can find is another type of vulnerability: Theme/Plugin exposed options. The principle is the same: An attacker can read and/or modify the Theme/Plugin settings, but in case of exposed WP Options, it can modify any option stored in the wp_options table.

Impact

Depending on the setup it might even lead to RCE but the most straightforward attack is to enable registrations (if it was disabled before, or via CSRF) and set the default role to Administrator, and register a new account.

The code

Ebor Framework v1.4.3

https://github.com/tommusrhodus/Ebor-Framework/blame/61a58853bb3521948a45858e7867e73a8ac8a88c/ebor_functions.php#L6-L9

/**
 * Update an option name with a value, both given by $_POST data
 */

function ebor_framework_update_option(){  
    update_option($_POST['optionName'], $_POST['optionValue']);

}
add_action('wp_ajax_ebor_framework_update_option', 'ebor_framework_update_option');  

The issue

I think it is pretty clear what is the problem with the code:

  • It updates any key with any value
  • Does not check for capability
  • Does not check nonce

Any registered user (Customer, Subscriber, Editor, etc.) can update any WordPress option.

Simple POC

$ curl 'http://127.0.0.1/wp-admin/admin-ajax.php' -H 'Cookie: [CUSTOMER_AUTH_COOKIES] --data 'action=ebor_framework_update_option&optionName=default_role&optionValue=administrator' 

Exploit Impact

6/10 - An attacker needs to be authenticated. Most of the themes affected I think https://themeforest.net/user/tommusrhodus/portfolio Confirmed: Foundry,Stack, LaunchKit, Pivot. Confirmed total sales: 10.713

Timeline

31 - 10 - 2017 - Vulnerability discovered  
31 - 10 - 2017 - Vendor notified  
06 - 11 - 2017 - Vendor fixed the issue  
17 - 11 - 2017 - Vulnerability goes public.