WP User Switch by IqbalRony WordPress plugin Authentication Bypass

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the admin’s username, which we can use to bypass authorization, then we can log in as any user from the user switch list.

Let’s check the plugin

The plugin lists the links required for switching users with the nonce in the admin bar.

The wpus_allow_user_to_admin_bar_menu() function checks the authorization to display switcher in the admin bar, whether the user is admin, with the following code:

if ( isset( $_COOKIE['wpus_who_switch'] ) ) {
	$allowed_user_cookie = sanitize_user( $_COOKIE['wpus_who_switch'] );
}
$user    = get_user_by( 'login', $allowed_user_cookie );
$allcaps = is_object( $user ) ? (array) $user->allcaps : array();
if ( array_key_exists( 'manage_options', $allcaps ) == true ) {
	return true;
}

The wpus_is_switcher_admin() function checks the authorization to list users, whether the user is admin, with the following code:

if ( isset( $_COOKIE['wpus_who_switch'] ) ) {
	$allowed_user_cookie = sanitize_user( $_COOKIE['wpus_who_switch'] );
}
$user    = get_user_by( 'login', $allowed_user_cookie );
$allcaps = is_object( $user ) ? (array) $user->allcaps : array();
if ( array_key_exists( 'manage_options', $allcaps ) == true ) {
	return true;
}

The plugin does not use any encryption for the cookie value. Thus, it is a value that can be easily changed by the user.

Let’s see how we can exploit this vulnerability

The user switch list is displayed in the admin bar, so we need to log in to our user for the exploit.

After that we have to set the cookie using the browser’s Developer Tools on the client’s website, which in our case is https://lana.solutions/vdb/iqbalrony-wp-user-switch/

Cookie name: wpus_who_switch
Cookie value: admin

Screenshot: WP User Switch – Set cookie

After reloading the page, the user switch list is displayed in the admin bar. By clicking on a user in the list, you will be logged in to the user.

Screenshot: WP User Switch – The user switch list in the admin bar

Try it

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Website: https://lana.solutions/vdb/iqbalrony-wp-user-switch/