WP OAuth Server ( Login with WordPress ) < 4.0.1 – Authentication Bypass | CVE 2022-34149

Description

The plugin is affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the client’s website.

Proof of Concept

The plugin uses the wp_parse_auth_cookie() function to get logged in user. Which is a completely faulty use in this case, as it does not use authentication. Description of the function: "Authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value." ... It is clearly described that the returned value is not validated. But the plugin doesn’t use any validation.

How to reproduce:
- Open OAuth server website
- Set the logged in cookie with the “test” username
- Open OAuth client website
- Click Single Sign On button (so start OAuth authentication)

You can set the cookie via a browser console using the JS script:
document.cookie="wordpress_logged_in_57a442d3cd2a47583304a69461f75869=admin%7Canything%7Canything%7Canything";

57a442d3cd2a47583304a69461f75869 is the md5(siteurl), but it is public data on all WordPress websites.