The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the website.

 

Let’s check the plugin

The user_verification_send_otp() function generates an otp with the following code:

$password = wp_generate_password(6, false, false);
update_user_meta($user_id, 'uv_otp', $password);

and sends the user the otp by email with the following code:

$user_data['otp'] = $password;
$otp_via_mail = user_verification_send_otp_via_mail($user_data);

but the otp is also returned in the ajax response:

$response['password'] = $password;
echo json_encode($response);

The problem is that the password, which should only be received by the user via email, becomes public in this way.

 

Let’s configure the plugin

In the User Verification Settings, select the “Yes” option for “Enable on default login”.

This setting is required to log in to the website using otp.

 

Let’s see how we can exploit this vulnerability

All we have to do is check the request response, the easiest way is with the browser console.


Screenshot: User Verification – Sent OTP at Login


Screenshot: User Verification – Enter OTP, and and the password in reponse

As we can see in the screenshot, the password is included in the json in the response:

{"success_message":"OTP has been sent successfully.","otp_via_mail":true,"password":"pQ8IAi","uv_otp_count":1}

 
If we enter this password in the “Enter OTP” field and click on the Log In button, we will log in to the given user.

 

Try it

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Website: https://lana.solutions/vdb/pickplugins-user-verification/