Site registration exploit, creating new admin users using admin-ajax.php

  • Resolved polymashsupport

    (@polymashsupport)


    7 years, 11 months ago

    Has anyone experienced this?

    Suddenly there is a new admin user on your site, and they logged in.

    But I received NO alerts from Wordfence, this exploit bypassed all Wordfence protections.

    I detected that someone has been able to simply create a new admin level user ID on one of our sites using admin-ajax.php. The Wordfence logs indicate no suspicious activity before this, and the only entry I can see on the firewall looks like this:

    Please see the attached screenshot:

    https://www.screencast.com/t/RQIcOienoaC

    Wordfence did not detect or alert me to this.

    What can I do to prevent such attacks? Blocking the IP range is pointless, since they are obviously using IP spoofing.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfscott

    (@wfscott)

    7 years, 11 months ago

    Hello @polymashsupport,

    Could you please send over diagnostics via (Wordfence > Tools > Diagnostics > Send report by email) to scottm [at] wordfence [dot] com

    Please include your forum username in that second field when you send that over.

    We will be happy to take a look for you.

    -Scott

    Thread Starter polymashsupport

    (@polymashsupport)

    7 years, 11 months ago

    Thank you! (the diagnostic report was sent)

    Plugin Support wfscott

    (@wfscott)

    7 years, 10 months ago

    Hello @polymashsupport,

    I see that you have multiple plugins for custom functionality related to user accounts and login. It is possible that one of those plugins has a vulnerability. Unfortunately we can’t do a full code review of all your plugins which is what would be required to fully determine the point of entry. I would recommend that you reach out to the authors of those plugins and inquire about this issue. They may have gotten similar reports from other users and may have some more information.

    -Scott

    Plugin Support wfscott

    (@wfscott)

    7 years, 9 months ago

    Polymashsupport,

    I hope you have not had any repeat issues with regard to this. For the time being, we haven’t seen a correlation with regard to any specific plugin or theme and this issue. We would advise if this were to occur again to have someone take a look at your specific case (server setup, plugins, logs, etc.) and try to find a point of entry.

    Please feel free to reach out to us if you notice any other issues or have any questions.

    All the best,

    Scott

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Site registration exploit, creating new admin users using admin-ajax.php’ is closed to new replies.