WP User Switch by IqbalRony WordPress plugin Authentication Bypass
LANAVDB ID: 0cfdc5fa-d219-46bb-b8cc-693ac28a9e92
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the admin’s username, which we can use to bypass authorization, then we can log in as any user from the user switch list.
Let’s check the plugin
The plugin lists the links required for switching users with the nonce in the admin bar.
The wpus_allow_user_to_admin_bar_menu() function checks the authorization to display switcher in the admin bar, whether the user is admin, with the following code:
After reloading the page, the user switch list is displayed in the admin bar. By clicking on a user in the list, you will be logged in to the user.
Screenshot: WP User Switch – The user switch list in the admin bar
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
WP User Switch by IqbalRony WordPress plugin Authentication Bypass
LANAVDB ID: 0cfdc5fa-d219-46bb-b8cc-693ac28a9e92
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the admin’s username, which we can use to bypass authorization, then we can log in as any user from the user switch list.
Let’s check the plugin
The plugin lists the links required for switching users with the nonce in the admin bar.
The
wpus_allow_user_to_admin_bar_menu()
function checks the authorization to display switcher in the admin bar, whether the user is admin, with the following code:The
wpus_is_switcher_admin()
function checks the authorization to list users, whether the user is admin, with the following code:The plugin does not use any encryption for the cookie value. Thus, it is a value that can be easily changed by the user.
Let’s see how we can exploit this vulnerability
The user switch list is displayed in the admin bar, so we need to log in to our user for the exploit.
After that we have to set the cookie using the browser’s Developer Tools on the client’s website, which in our case is https://lana.solutions/vdb/iqbalrony-wp-user-switch/
Cookie name:
wpus_who_switch
Cookie value:
admin
Screenshot: WP User Switch – Set cookie
After reloading the page, the user switch list is displayed in the admin bar. By clicking on a user in the list, you will be logged in to the user.
Screenshot: WP User Switch – The user switch list in the admin bar
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Website: https://lana.solutions/vdb/iqbalrony-wp-user-switch/
References
Attributes
Classification
Researcher
Tags
authentication bypass exploit wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
Let's discuss