Vulnerability Description: The vulnerable code is located in the /includes/func.php the function import_data can be called by logged in users and executed which can lead to modifying wordpress settings and adding a new administrator which may cause the site a full take over!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
add_action( 'wp_ajax_import_data', 'import_data' );
function import_data(){
$name = stripslashes($_POST['name']);
$code = base64_decode(trim($_POST['code']));
if(is_string($code))
$code = unserialize ($code);
$value = get_option($name);
if(isset($value)){
update_option($name,$code);
}else{
echo "Error, Option does not exist !";
}
die();
}
|
Vulnerability Fix: to fix this vulnerability and secure your wordpress website , go […]