BookIt by StylemixThemes WordPress plugin Authentication Bypass
REPORT ID: 0dea1346-fd60-4338-8af6-6f89c29075d4
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.
Let’s check the plugin
The save() method in the AppointmentController class handles the appointment booking with the following code:
As we can see, the user is determined based on the email without authentication.
This means that if the email address is specified in the request, the plugin logs the user in without authentication.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
The HTTP request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=bookit_book_appointment&email=info%40lana.codes&password=-&password_confirmation=-&full_name=text&nonce=38039a9e39
We can find the nonce in the bookit_window.nonces.bookit_book_appointment JavaScript object. The nonce JavaScript object is only on the page with the [bookit] shortcode.
The exploit script
I created a Python script that which updates the specified user’s email:
BookIt by StylemixThemes WordPress plugin Authentication Bypass
REPORT ID: 0dea1346-fd60-4338-8af6-6f89c29075d4
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.
Let’s check the plugin
The
save()
method in theAppointmentController
class handles the appointment booking with the following code:It extracts the data from the request, cleans it, and then checks that all required parameters are present during validation.
Then the
get_customer( $data )
method in theCustomerController
class determines and authenticates the user with the following code:Then the
save_or_get_wp_user( $data )
method in theCustomers
class determines the user with the following code:As we can see, the user is determined based on the
email
without authentication.This means that if the email address is specified in the request, the plugin logs the user in without authentication.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
The HTTP request:
We can find the nonce in the
bookit_window.nonces.bookit_book_appointment
JavaScript object. The nonce JavaScript object is only on the page with the[bookit]
shortcode.The exploit script
I created a Python script that which updates the specified user’s email:
Source: stylemixthemes_bookit_plugin_vdb_get_exploit_cookie.py
How to use:
Since the nonce JavaScript object is only on the page with the
[bookit]
shortcode, so we need to specify the slug for that page.Run the above command in the Linux terminal.
We get something like this:
Then all we have to do is set the cookie using the browser’s Developer Tools on the website.
References
Let's discuss
Attributes
Classification
Researcher
Tags
authentication bypass exploit wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).