This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Unauthenticated Privilege Escalation in WordPress Theme 'Sala'. π₯ **Consequences**: Attackers can hijack ANY account (even Admins) via password reset. Total site takeover possible. π
π¦ **Product**: Sala - Startup & SaaS WordPress Theme. π’ **Vendor**: uxper. π **Affected**: Versions **<= 1.1.4**. If you are on 1.1.4 or older, you are at risk! β οΈ
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Full Admin Access. π **Data**: Complete Account Takeover. Hackers can reset passwords for **arbitrary users**, including Super Admins. No password needed to initiate the reset. π
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold: LOW**. π **Auth**: None required (Unauthenticated). βοΈ **Config**: Direct AJAX endpoint exposure. Easy to trigger via simple HTTP requests. π
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Yes, Public PoCs Exist**. π **GitHub**: Multiple exploits available (e.g., Yucaerin, UcenHaxor07). π **Wild Exploitation**: High risk. Automated scanners likely already targeting this. π·οΈ
Q7How to self-check? (Features/Scanning)
π **Check**: Look for `wp_ajax_nopriv_change_password_ajax` in theme code. π‘ **Scan**: Use WPScan or manual AJAX fuzzing on `/wp-admin/admin-ajax.php`. π§ͺ **Test**: Try resetting a password without being logged in.β¦
π οΈ **Fix**: Update to version **> 1.1.4** immediately. π’ **Official**: Check vendor 'uxper' for the patched release. Do not ignore updates! π₯
Q9What if no patch? (Workaround)
π§ **No Patch?**: Disable the `change_password_ajax` function via code snippet. π **Mitigation**: Block access to `admin-ajax.php` for non-authenticated users if possible.β¦