The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website.
Proof of Concept
The plugin uses the wp_parse_auth_cookie()
function to get logged in user. Which is a completely faulty use in this case, as it does not use authentication.
How to reproduce:
- Opens OAuth server website
- Sets the logged in cookie with the “test” username
- Opens OAuth client website
- Click Single Sign On button (so it starts OAuth authentication)
Exploit script: https://gist.github.com/lana-codes/f976ef5e6f094cacabb83a8b310cd3eb