As I promised, I would like to explain how I was awarded my first 4 digit bounty in 5 minutes!
Without Delay, Let's get started to understand this vulnerability.
Target Website was hosted on WordPress. The version of the WordPress website was the latest one. I have noticed that a number of plugins were used on xyz.com Also, the wp-login page was also there. I have checked all registration pages and signup pages of the target website.
Note: Every plugin has a WordPress installation page but it's disabled by the administrator. That means any user/admin can able to install WordPress and create their admin account on that website.
While performing Recon on a subdomain of a private bug-bounty program, I found one of the URLs where I can able to register a new account with admin privilege.
Steps To Reproduce:
- First, I have used waybackurl to find the endpoint of the website.
The endpoint was /wp-admin/install.php
- If you are able to find this endpoint in any WordPress website then click on the Install WordPress button and register your email address.
(Note: You will get a similar endpoint on many WordPress websites but new registration button/functionality might be disabled on that website.)
- Once you registered, you will get a confirmation link to set a new password.
- Now Visit https://xyz.com/wp-login.php
- Now, login with your registered email address, and Boom! I got access to the admin panel of the WordPress website.
6. I can perform all activities and upload all images on this domain and change configuration files as you want.
Thank you for reading my blog.
Guys, if you will able to find a similar bug after reading this blog kindly message me its feel good :)