Sala – Startup & SaaS WordPress Theme 未授权权限提升漏洞

漏洞信息

漏洞名称： Sala – Startup & SaaS WordPress Theme 未授权权限提升漏洞

漏洞编号：

• CVE： CVE-2025-4606

漏洞类型： 权限提升

漏洞等级： 严重

漏洞描述： Sala – Startup & SaaS WordPress Theme 是一款专为初创公司和SaaS企业设计的WordPress主题，广泛应用于企业官网和在线服务平台。该主题在版本1.1.4及之前存在一个严重的未授权权限提升漏洞，允许攻击者无需认证即可重置任意用户的密码，包括管理员账户，从而实现账户完全接管。

漏洞的根源在于主题中注册了一个名为change_password_ajax的函数，该函数通过wp_ajax_nopriv_钩子暴露了一个AJAX端点，允许未认证用户直接调用。该函数在设置新密码时未对请求者的身份进行验证，导致攻击者可以通过构造特定的POST请求，向/wp-admin/admin-ajax.php?action=change_password_ajax发送请求，重置任意用户的密码。

此漏洞的影响极为严重，攻击者只需知道目标站点的有效用户名（如常见的’admin’），即可通过简单的HTTP请求重置该用户的密码，进而完全控制该账户。由于无需任何认证，漏洞的利用门槛极低，且可以自动化执行，对使用受影响版本主题的网站构成了极大的安全威胁。建议所有使用Sala主题的用户立即升级到最新版本，或采取其他缓解措施以防止潜在的攻击。

产品厂商： WordPress

产品名称： Sala – Startup & SaaS WordPress Theme

影响版本： <= 1.1.4

来源： https://github.com/Yucaerin/CVE-2025-4606

类型： CVE-2025:github search

仓库文件

• README.md
• exp.py

来源概述

CVE-2025-4606- WordPress Sala Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover

🔥 Vulnerability Summary
The WordPress theme Sala versions <= 1.1.4 is vulnerable to an unauthenticated privilege escalation vulnerability. This flaw allows unauthenticated attackers to reset passwords of arbitrary users — including administrators — by directly invoking an exposed AJAX endpoint without verifying the identity of the requester.

This vulnerability stems from the change_password_ajax function registered to wp_ajax_nopriv_, which sets a new password for any valid user login without checking if the request is authorized.

🔍 Affected Theme

• Theme Name: Sala – Startup & SaaS WordPress Theme
• Affected Version: <= 1.1.4
• Vulnerability Type: Unauthenticated Privilege Escalation
• CVE ID: CVE-2025-4606
• CVSS Score: 9.8 (Critical)
• Impact: Complete Account Takeover (Including Admin)

🧪 Exploit Features

• 🔓 No authentication required
• 🔄 Overwrites any user’s password by providing a valid login name
• 📬 Targets the AJAX endpoint /wp-admin/admin-ajax.php?action=change_password_ajax
• 🧠 Works instantly if the attacker knows a valid username (e.g., admin)

🧠 Researcher

• Credit: Thai An

🚀 Usage

1. Identify a valid username on the target WordPress site. You can do this by checking:

   • Public author archive URLs (/author/username)

2. Craft the following POST request to reset the user’s password:

   POST /wp-admin/admin-ajax.php HTTP/1.1
   Host: targetsite.com
   Content-Type: application/x-www-form-urlencoded
   
   action=change_password_ajax&login=admin&new_password=hacked123

3. If successful, you can now log in as the targeted user using the new password (hacked123 in the example above).

4. Visit /wp-login.php and verify access.

🛠 Fix Recommendations

• Theme developers should remove or secure the wp_ajax_nopriv_change_password_ajax hook.
• Always check is_user_logged_in() and verify the identity of the user before allowing sensitive actions.
• Implement nonce checks to prevent CSRF and unauthenticated abuse.

🔒 Disclaimer:
This information is provided for educational and authorized penetration testing purposes only. Unauthorized exploitation of systems is illegal and unethical.

📚 Reference:

• Wordfence Advisory