WordPress Plugin Vulnerabilities

Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure

Description

The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.

Proof of Concept

- Install the plugin and set the API creds to:

- Key: 

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

- Private Key: 

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

- Set up a postman GET call to http://<sitename>/wp-json/clerk/getconfig?key=1&private_key=2

- Set up a postman GET call to aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab

- Run multiple times to get a faster response (on average) on the first request, which fails sooner.

Affects Plugins

Plugin icon
clerkio
Fixed in 4.0.0

References

CVE
CVE-2022-3907

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Francesco Carlucci
Submitter
Francesco Carlucci
Submitter website
https://carluc.ci
Submitter twitter
francecarlucci
Verified
Yes
WPVDB ID
7920c1c1-709d-4b1f-ac08-f0a02ddb329c

Timeline

Publicly Published
2022-11-10 (about 1 years ago)
Added
2022-11-10 (about 1 years ago)
Last Updated
2022-11-18 (about 1 years ago)

Other

Published
Title
Published
2022-02-14
Title
Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure
Published
2023-11-06
Title
Restrict Content < 3.2.8 - Information Exposure via legacy log file
Published
2024-04-05
Title
ConvertKit < 2.4.6 - Unauthenticated Sensitive Information Exposure
Published
2023-12-05
Title
Ultimate Dashboard < 3.7.11 - Login Page Disclosure on Multi-site
Published
2024-04-22
Title
StreamWeasels Twitch Integration < 1.8.0 - Unauthenticated Sensitive Information Exposure