Skip to content

Commit 8432dc9

Browse files
carlospolopcarlospolop
authored
Update wordpress.md
1 parent 3a9011a commit 8432dc9

File tree

1 file changed

+1
-23
lines changed

1 file changed

+1
-23
lines changed

src/network-services-pentesting/pentesting-web/wordpress.md

Lines changed: 1 addition & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -659,28 +659,6 @@ User-Agent: PoC
659659
Connection: close
660660
```
661661

662-
Expected success indicators
663-
664-
- Redirect to a plugin page (e.g., `/wp-admin/admin.php?page=candidates`).
665-
- New WordPress auth cookies issued; browser session becomes that user (ID 1 is commonly the first admin).
666-
667-
Detection checklist
668-
669-
- Access logs showing `?switch_back` (or `?switch_user=<id>`) in unauthenticated requests immediately followed by WordPress auth cookie issuance and a redirect to admin pages.
670-
- Inbound requests carrying `Cookie: original_user_id=*` on public endpoints.
671-
- Error pages triggered by `wp_die('Original user not found')` / `wp_die('No original user found…')` indicating probing.
672-
673-
Hardening
674-
675-
- Do not place login/state-changing flows on public `init`. Use `admin_post_*`/`wp_ajax_*` handlers and enforce `is_user_logged_in()` plus strong capability checks (e.g., `current_user_can('administrator')`).
676-
- Never derive identity from client cookies. Store the “original user” server-side (user meta) or use a signed, expiring token bound to the actor and verify it.
677-
- Make state-changing actions POST-only and require CSRF nonces (`check_admin_referer()` / `wp_verify_nonce()`).
678-
- Remove any `wp_ajax_nopriv_` exposure for these flows.
679-
680-
Impact
681-
682-
- Unauthenticated privilege escalation to any account, including administrator, leading to full site takeover.
683-
684662
---
685663

686664
### WAF considerations for WordPress/plugin CVEs
@@ -800,4 +778,4 @@ The server responds with the contents of `wp-config.php`, leaking DB credentials
800778
- [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/)
801779
- [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability)
802780

803-
{{#include ../../banners/hacktricks-training.md}}
781+
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)