Profile Builder by Cozmoslabs WordPress plugin Authentication Bypass
LANAVDB ID: 512e7307-04a5-4d8b-8f79-f75f37784a9f
The plugin was affected by an Auth Bypass vulnerability. The plugin has an improperly used method allowing to reset the user password, and gain unauthorized access.
Let’s check the plugin
The wppb_toolbox_usermeta_handler() function get user meta with the following code:
$value = $user->get( $atts['key'] );
There are no restrictions on what user meta values can be queried.
The wppb_front_end_password_recovery() function handle the password reset with following code:
$key = sanitize_text_field( $_POST['key'] );
$user_object = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key ) );
The problem is that it queries the user directly using the hashed activation key.
Note: In the core method, the key is sent via email to the user and then stored as hashed in the database. During password reset, the key sent via email is hashed and compared with the database stored hashed key for security reasons, as it prevents abuse of the stored hashed key in the database.
Let’s configure the plugin
In the Profile Builder Settings, select the “Yes” option for “Enable Usermeta shortcode” at “Advanced Settings” tab at “Shortcodes” subtab.
This setting allows the website to use the [user_meta] shortcode.
Let’s create a Recover Password page and add the following shortcode to it:
[wppb-recover-password]
Let’s see how we can exploit this vulnerability
There is an AJAX parser for getting the value of the shortcode, which can be exploited with a logged-in user.
I created a Python script that returns the user_activation_key:
If the key is correct, we use the form to change the user’s password using the password and repeat password fields.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Profile Builder by Cozmoslabs WordPress plugin Authentication Bypass
LANAVDB ID: 512e7307-04a5-4d8b-8f79-f75f37784a9f
The plugin was affected by an Auth Bypass vulnerability. The plugin has an improperly used method allowing to reset the user password, and gain unauthorized access.
Let’s check the plugin
The
wppb_toolbox_usermeta_handler()
function get user meta with the following code:There are no restrictions on what user meta values can be queried.
The
wppb_front_end_password_recovery()
function handle the password reset with following code:The problem is that it queries the user directly using the hashed activation key.
Note: In the core method, the key is sent via email to the user and then stored as hashed in the database. During password reset, the key sent via email is hashed and compared with the database stored hashed key for security reasons, as it prevents abuse of the stored hashed key in the database.
Let’s configure the plugin
In the Profile Builder Settings, select the “Yes” option for “Enable Usermeta shortcode” at “Advanced Settings” tab at “Shortcodes” subtab.
This setting allows the website to use the
[user_meta]
shortcode.Let’s create a Recover Password page and add the following shortcode to it:
Let’s see how we can exploit this vulnerability
There is an AJAX parser for getting the value of the shortcode, which can be exploited with a logged-in user.
I created a Python script that returns the
user_activation_key
:the script returns the user activation key as a string:
Then we can use the key for password reset.
For this, we have to open the Recover Password page, and add the key parameter to it:
If the key is correct, we use the form to change the user’s password using the password and repeat password fields.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Website: https://lana.solutions/vdb/cozmoslabs-profile-builder/
References
Attributes
Classification
Researcher
Tags
Let's discuss