Wordpress automatic plugin aux module

[h00die]

This module exploits an unauthenticated arbitrary wordpress options change vulnerability
in the Automatic (wp-automatic) plugin. We use that, very similar to the GDPR module to optionally:

1. set the admin's email to one we control
2. turn on user registration, set default registration role to admin, create a user

Verification

• install the plugin
• Do: use auxiliary/admin/http/wp_automatic_plugin_privesc
• Do: set rhosts [IPs]
• Do: set email [email address]
• Do: run
• Verify the settings were changed
• Document docs look good

[h00die]

If accepted, please add the 'hacktoberfest-accepted' label :)

[jmartin-tech]

This looks good, thank you!

Some minor comments on metadata and logging messages.

[jmartin-tech]

Suggested change

	OptString.new('WPEMAIL', [false, 'Wordpress Administration Email (default: no email modification)', nil])
	OptString.new('WpEmail', [false, 'Wordpress Administration Email (default: no email modification)', nil])

This is registered as advanced.

Or since this is presented as an option that needed to be called out in descriptions it feels like this may be better presented as a standard option defaulted to nil.

[h00die]

I modeled this after

metasploit-framework/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb

Line 49 in 04e8752

OptString.new('WPEMAIL', [false, 'Wordpress Administration Email (default: no email modification)', nil])

since they are extremely similar. Can change, but just want to be consistent.

[jmartin-tech]

Understood, the comment was made base on review of this module and what I think a user would like to see when reviewing options for this module.

I can live with it as is. To be honest, I still fall on the side of this being an optional standard option for both modules.

[h00die]

@jmartin-r7 was there anything still pending on this?

[jmartin-tech]

@h00die all my requests are handled, testing is still in queue.

[cdelafuente-r7]

Thanks for this module @h00die! I just left a few minor comments for you to review. Otherwise, it looks good to me. I'll start testing now.

[cdelafuente-r7]

This is out of scope, but I'm just wondering if there would be a way to avoid adding a comment to be picked up by the update_wordpress_vulnerabilities.rb tool. Maybe using a specific info hash key/value pair, such as 'WordpressVulnType' => 'plugin'.

[h00die]

in general, like 90+% of plugins use that function, so it seemed like the right answer (especially when not trying to change all of wordpress modules). In theory, anything could be changed, but since wordpress plugin modules tend to be such a small portion of the framework, I didn't want to make anything global.

[cdelafuente-r7]

Thanks for making these changes @h00die ! Everything looks good now. I tested against Wordpress 5.8.1 with Automatic 3.50.7 and verified a new user was created with the correct email, with the admin role. I'll go ahead and land it.

[cdelafuente-r7]

Release Notes

This adds an auxiliary module that leverages an unauthenticated arbitrary Wordpress options change vulnerability
in the Automatic (wp-automatic) plugin version 3.53.2 and below. The module enables user registration, sets the default user role to admin and create a new privileged user with the provided email address.