The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the website.
User Verification by PickPlugins WordPress plugin Authentication Bypass
REPORT ID: eeabe1d3-6f64-400a-8fb2-0865efdf6957
Drag and Drop Multiple File Upload – Contact Form 7 by CodeDropz WordPress plugin Non-Arbitrary File Upload
REPORT ID: a9e6e1de-7ee2-4ebf-aff0-a609860e8b58
The plugin contains a Non-Arbitrary File Upload vulnerability due a missing form id check and an incorrect nonce check. The vulnerability allow us to upload files to the server without it being assigned to an existing form. Note: only limited file types can be uploaded.
OAuth Single Sign On – SSO (OAuth Client) by miniOrange WordPress plugin Authentication Bypass
REPORT ID: 071fa6eb-2e54-43a1-b37f-1e562988b7d4
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website. Note: The plugin was affected by Missing Authorization vulnerability too. There are a lot of vulnerabilities and bugs in the code. But the analysis only deals with Auth Bypass because it is the most serious vulnerability. Note: To exploit the vulnerability, we need to log in with a user with any role.
OAuth client Single Sign On for WordPress (OAuth 2.0 SSO) by securiseweb WordPress plugin Authentication Bypass
REPORT ID: 85e045c9-1d56-4b58-9088-bac0aa3a1173
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website. Note: The plugin was affected by Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerabilities too. There are a lot of vulnerabilities and bugs in the code. But the analysis only deals with Auth Bypass because it is the most serious vulnerability.
Profile Builder by Cozmoslabs WordPress plugin Privilege Escalation
REPORT ID: 512e7307-04a5-4d8b-8f79-f75f37784a9f
The plugin contains an Insecure Password Reset Mechanism and a Sensitive Information Disclosure via Shortcode vulnerability, which leads to Privilege Escalation. The plugin has an improperly used method allowing to reset the user password, and gain unauthorized access. The key required for password reset, which is stored in the database, can be retrieved with the plugin’s shortcode as an authenticated user.