Listen to this Post
The WPSchoolPress plugin (≤ v2.2.16) fails to validate user permissions in the `wpsp_DeleteUser()` function, allowing teacher-level accounts to delete any user. Attackers exploit this by sending crafted requests to the vulnerable endpoint without server-side checks. The function processes deletion requests using unsanitized `user_id` parameters, enabling privilege escalation via account removal.
DailyCVE Form:
Platform: WordPress
Version: ≤2.2.16
Vulnerability: Unauthorized user deletion
Severity: Critical
Date: 03/28/2025
What Undercode Say:
Exploit:
1. Craft POST request to `/wp-admin/admin-ajax.php`:
action=wpsp_DeleteUser&user_id=TARGET_ID
2. Use teacher-level session cookies.
Protection:
1. Patch to v2.2.17+.
2. Add capability check:
if (!current_user_can('delete_users')) { wp_die(); }
3. .htaccess mitigation:
<Files "admin-ajax.php"> Require all denied </Files>
Detection:
grep -r "wpsp_DeleteUser" /var/www/html/
Log Analysis:
SELECT FROM wp_logs WHERE request LIKE '%wpsp_DeleteUser%';
Temporary Fix:
add_filter('wp_ajax_wpsp_DeleteUser', function() { exit(403); });
Impact Analysis:
- Compromised admin accounts.
- Data integrity loss.
Mitigation Steps:
1. Disable plugin.
2. Audit user roles.
3. Restore backups.
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1668
Extra Source Hub:
Undercode
