User Verification by PickPlugins WordPress plugin Authentication Bypass
LANAVDB ID: eeabe1d3-6f64-400a-8fb2-0865efdf6957
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the website.
Let’s check the plugin
The user_verification_send_otp() function generates an otp with the following code:
The problem is that the password, which should only be received by the user via email, becomes public in this way.
Let’s configure the plugin
In the User Verification Settings, select the “Yes” option for “Enable on default login”.
This setting is required to log in to the website using otp.
Let’s see how we can exploit this vulnerability
All we have to do is check the request response, the easiest way is with the browser console.
Screenshot: User Verification – Sent OTP at Login
Screenshot: User Verification – Enter OTP, and and the password in reponse
As we can see in the screenshot, the password is included in the json in the response:
{"success_message":"OTP has been sent successfully.","otp_via_mail":true,"password":"pQ8IAi","uv_otp_count":1}
If we enter this password in the “Enter OTP” field and click on the Log In button, we will log in to the given user.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
User Verification by PickPlugins WordPress plugin Authentication Bypass
LANAVDB ID: eeabe1d3-6f64-400a-8fb2-0865efdf6957
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the website.
Let’s check the plugin
The
user_verification_send_otp()
function generates an otp with the following code:and sends the user the otp by email with the following code:
but the otp is also returned in the ajax response:
The problem is that the password, which should only be received by the user via email, becomes public in this way.
Let’s configure the plugin
In the User Verification Settings, select the “Yes” option for “Enable on default login”.
This setting is required to log in to the website using otp.
Let’s see how we can exploit this vulnerability
All we have to do is check the request response, the easiest way is with the browser console.
Screenshot: User Verification – Sent OTP at Login
Screenshot: User Verification – Enter OTP, and and the password in reponse
As we can see in the screenshot, the password is included in the json in the response:
If we enter this password in the “Enter OTP” field and click on the Log In button, we will log in to the given user.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Website: https://lana.solutions/vdb/pickplugins-user-verification/
References
Attributes
Classification
Researcher
Tags
authentication bypass exploit wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
Let's discuss